AD-A108  560 

UNCLASSIFIED 


GENERAL  ACCOUNTING  OFFICE  WASHINGTON  DC  ACCOUNTING  A— ETC  F/G  9/2 
FEDERAL  AGENCIES  STILL  NEED  TO  DEVELOP  GREATER  COMPUTER  AUDIT  C— ETC(U) 
oct  ei 

GAO/AFMD-82-7  NL 


MICROCOPY  Rt SOLUTION  TEST  CHART 

NAIIONAt  MlUl -'ll  «'l  n!AN0Vk[V'.  1  *♦  A 


ADA1U8560 


LEVEfcv  j 

BY  THE  COMPTROLLER  GENERAL  77 

Report  To  The  Congress 


OF  THE  UNITED  STATES 


Federal  Agencies  Still  Need  To  Develop 
Greater  Computer  Audit  Capabilities 

As  the  Federal  Government  becomes  increasingly  de-  V  >.  v 


As  the  Federal  Government  becomes  increasingly  de¬ 
pendent  on  computers  it  is  even  more  important  for  au¬ 
ditors  to  ensure  that  - 

^computer  system  controls  are  designed  and  op¬ 
erating  properly/ and  - 

>computer  equipment,  programs,  personnel,  and 
other  resources  are  used  efficiently,  effectively, 
and  economically.  \ 

Past  GAO  reports  recommended  that  audit  organiza¬ 
tions  do  more  computer  auditing.  In  addition,  the  Comp¬ 
troller  General  of  the  United  States  has  issued  audit 
standards  which  outline  government  auditors'  respon¬ 
sibilities  to  audit  computer-based  systems. 

Some  audit  organizations  have  conducted  effective 
computer  audits.  However,  many  Federal  audit  organi¬ 
zations  have  neither  recognized  their  computer  audit 
responsibilities  nor  developed  the  skills  to  meet  them. 
This  report  recommends  actions  every  Federal  agency 
should  take  to  define,  develop,  and  maintain  appro¬ 
priate  computer  audit  capabilities. 


Bf  s 


81  12  ’1116 


Request  for  copies  of  GAO  reports  should  be 
sent  to: 

U.S.  General  Accounting  Office 
Document  Handling  and  Information 
Services  Facility 
P.O.  Box  6015 
Gaithersburg,  Md.  20760 

Telephone  (202)  275-6241 

The  first  five  copies  of  individual  reports  are 
free  of  charge.  Additional  copies  of  bound 
audit  reports  are  $3.25  each.  Additional 
copies  of  unbound  report  (i.e.,  letter  reports) 
and  most  other  >~<iblications  are  $1.00  each. 
There  will  be  a  25%  ducount  on  all  orders  for 
100  or  more  copies  mailed  to  a  single  address. 
Sales  orders  must  be  prepaid  on  a  cash,  check, 
or  money  order  basis.  Check  should  be  made 
out  to  the  "Superintendent  of  Documents". 


COMPTROLLER  GENERAL  OF  THE  UNITED  STATES 
WASHINGTON  D.C.  20548 


B-204784 


To  the  President  of  the  Senate  and  the 
Speaker  of  the  House  of  Representatives 

Computers  manage  increasing  amounts  of  the  Federal  Government 
money,  property,  and  information  resources  and  represent  signifi¬ 
cant  expenditures  in  capital  and  operating  costs.  Effective  inter 
nal  auditing  can  help  assure  management  that  computer-related  con¬ 
trols  are  adequate  to  prevent  errors,  fraud,  waste,  and  abuse,  and 
that  computers  are  used  in  the  most  effective,  efficient,  and  eco¬ 
nomical  way. 

This  report  discusses  the  progress  by  Federal  inspector  gen¬ 
eral  and  internal  audit  organizations  in  meeting  their  computer 
audit  responsibilities.  It  recommends  actions  for  internal  audit 
organizations  to  identify  their  agencies'  computer  audit  needs  and 
to  develop  the  necessary  audit  skills  to  meet  these  needs. 

We  are  sending  copies  of  the  report  to  the  Director  of  the  Of 
f ice  of  Management  and  Budget  and  the  heads  of  all  Federal  depart¬ 
ments  and  agencies. 

J-  • 

Acting  Comptroller  General 
of  the  United  States 


Ac 


;^S3l.’n  ’T)y  / 

15  G"14I  ~ 


NXI 

DTIC  TA3  n 

U,,an?»- . -*«  p  h  ^ 

v°a- 


\  ^ - Ok* - 


Br. - 


Distribution/ 
Availability  C.itlea 
|  Avail  and/or 
Dist  '  cp’clal 


fl 


COMPTROLLER  GENERAL'S 
REPORT  TO  THE  CONGRESS 


FEDERAL  AGENCIES  STILL  NEED 
TO  DEVELOP  GREATER  COMPUTER 
AUDIT  CAPABILITIES 


DIGEST 

With  continual  technological  advances,  the  use 
of  the  computer  in  business  and  government  has 
grown.  While  this  has  increased  productivity 
levels  and  satisfied  information  and  program 
needs,  it  has  not  been  without  a  heavy  price. 

The  capital  and  operating  costs  of  computers  are 
significant  expenditures.  In  addition,  compu¬ 
ters  provide  access  to  an  ever-increasing  amount 
of  an  organization's  money,  property,  and  other 
assets;  and  to  information  resources,  including 
personal,  proprietary,  or  other  sensitive  data. 

This  growing  reliance  on  computers,  coupled  with 
increasing  cost,  requires  that  Federal  managers 
assure  themselves  that  computers  support  manage¬ 
ment  goals  and  objectives,  operate  efficiently 
and  economically,  and  encompass  adequate  con¬ 
trols  to  prevent  errors,  fraud,  waste,  and  abuse. 
Internal  auditing  is  an  important  management  tool 
to  help  provide  such  assurance. 

In  1977,  GAO  reported  that  at  some  Federal  agen¬ 
cies  internal  auditing  of  automatic  data  process¬ 
ing  systems  and  controls  had  been  inadequate. 

GAO  recommended  that  all  Federal  internal  audit 
groups  determine  the  extent  to  which  their  agen¬ 
cies'  computer  activities  need  auditing  and  de¬ 
velop  or  acquire  staff  with  the  necessary  skills 
to  provide  adequate  computer  audit  coverage. 

Following  up  on  the  1977  report,  GAO  found  that 
while  some  action  has  been  taken,  much  still 
needs  to  be  done.  Many  Federal  inspector  gen¬ 
eral  and  internal  audit  organizations  still  do 
not  provide  adequate  audit  coverage  to  their 
agencies'  computer  operations. 

GAO  conducted  this  review  to  evaluate  the  prog¬ 
ress  of  Federal  internal  audit  organizations  in 
responding  to  increasing  needs  and  requirements 
for  effective  computer  auditing.  By  identifying 
agencies'  problems  and  shortfalls  in  developing 


AFMD-82-7 
OCTOBER  16, 1961 


Tear  Sheet. 


i 


computer  audit  capabilities,  GAO  provides  guid¬ 
ance  for  agencies  in  establishing  proper  compu¬ 
ter  audit  coverage  and  thereby  helps  prevent 
computer-related  fraud,  waste,  and  abuse. 

MANY  HAVE  NOT  RESPONDED 
TO  COMPUTER  AUDIT  NEEDS 

Some  of  the  19  Federal  audit  organizations  GAO 
reviewed  cannot  be  sure  they  have  adequately 
identified  their  agencies'  computer  audit  needs 
as  recommended  in  the  1977  report.  GAO  found 
nine  organizations  that  had  limited,  outdated, 
or  no  inventories  of  their  agencies'  computer 
systems  to  aid  in  planning  audit  coverage.  (See 
pp.  7  and  8.) 

GAO  also  found  that  many  organizations  have  not 
developed  and  maintained  the  skilled  staff  nec¬ 
essary  to  meet  computer  audit  responsibilities 
for  their  agencies.  In  particular,  six  organi¬ 
zations  had  little  or  no  computer  audit  capa¬ 
bilities  at  the  time  of  the  review,  and  others 
acknowledged  that  computer  audit  staff  and  audit 
time  were  not  adequate  for  their  needs. 

Although  GAO  found  examples  of  effective  compu¬ 
ter  auditing,  insufficient  computer  audit  capa¬ 
bilities  generally  resulted  in  only  limited 
compliance  with  the  standards  issued  by  the 
Comptroller  General  of  the  United  States  for 
auditing  computer-based  systems.  Twelve  of  the 
nineteen  organizations  visited  did  not  have  the 
computer  audit  capabilities  to  comply  with  the 
standards  at  the  time  of  the  review.  The  re¬ 
maining  seven  organizations  had  conducted  or 
scheduled  computer  audits  to  meet  some  objec¬ 
tives  of  the  standards.  (See  pp.  8  to  10.) 

GAO  observed  the  following  examples  of  effective 
computer  audits: 

— The  General  Services  Administration  suspended 
development  of  a  computer  system  when  an  audit 
by  its  Inspector  General  showed  that  the  pro¬ 
posed  system  would  not  meet  a  major  system  ob¬ 
jective  of  controlling  use,  misuse,  and  abuse 
of  interagency  motor  pool  credit  purchases. 
(See  p.  12.) 

— The  Department  of  the  Army  significantly  re¬ 
duced  the  number  of  computer  terminals  planned 
for  a  $100  million  project  because  the  Army 


ii 


Audit  Agency  reported  that  the  projected  work 
for  computer  terminals  was  overstated.  (See 
p.  12.) 

— The  Postal  Inspection  Service  recommended  uni¬ 
form  manual  and  computer  processing  controls 
for  the  U.S.  Postal  Service's  redesigned  pay¬ 
roll  system  because  of  control  weaknesses  which 
had  resulted  in  about  $1.75  million  in  over¬ 
payments  nationwide.  (See  p.  12.) 

Some  organizations  were  hindered  in  acquiring 
computer  audit  staff  because  of  personnel  ceil¬ 
ing  limitations.  Federal  hiring  restrictions, 
or  even  lack  of  management  support  for  computer 
auditing.  GAO  also  found  that  many  organiza¬ 
tions  did  not  have  formal  training  programs  to 
help  develop  computer  audit  skills  for  existing 
staff.  (See  pp.  14  to  16.) 

EVALUATION  OF  COMPUTER-RELATED  CONTROLS 
IS  RECEIVING  GREATER  EMPHASIS 

The  need  for  proper  computer-related  controls 
has  increased.  Continuing  reports  of  computer 
fraud  and  abuse  showing  losses  of  millions  of 
dollars  and  estimates  of  hundreds  of  millions 
more  in  losses  from  undetected  computer  crime 
point  to  weak  computer-related  control.  In 
addition.  Federal  legislation  and  proposed 
statutes  have  called  for  prevention  of  fraud, 
waste,  and  abuse  in  private  companies  and  Fed¬ 
eral  agencies  by  requiring  that  managers  estab¬ 
lish  and  maintain  adequate  systems  of  internal 
control.  These  systems  necessarily  include 
computer-related  controls.  As  a  further  indi¬ 
cation,  public  accounting  firms  have  increased 
their  consideration  of  computer-related  controls 
in  audit  work. 

Despite  this  emphasis,  GAO  found  little  overall 
direction— other  than  the  GAO  audit  standards— 
requiring  Federal  internal  audit  organizations 
to  specifically  evaluate  computer-related  con¬ 
trols.  Such  evaluations  can  help  minimize  error, 
fraud,  waste,  and  abuse,  but  are  also  necessary 
if  government  auditors  are  to  fulfill  their  pro¬ 
fessional  audit  responsibilities.  GAO  believes 
the  need  for  Federal  agencies  to  develop  their 
computer  audit  capabilities  is  even  greater 
today  than  it  was  at  the  time  of  the  1977  report. 


Tear  Sheet.  Hi 


! 


I 


RECOMMENDATIONS 


To  help  ensure  appropriate  computer  audit  cover¬ 
age,  GAO  recommends  that  the  head  of  each  Fed¬ 
eral  agency  require  inspector  general  and  inter¬ 
nal  audit  organizations  to: 

— Identify  the  agency's  computer  audit  universe, 
including  existing  computer  systems  and  major 
applications  as  well  as  those  being  planned 
for  design  and  development. 

— Determine  the  extent  to  which  computer  activi¬ 
ties  need  auditing  and  conduct  needed  audits 
based  on  requirements  of  the  GAO  computer  audit 
standards  relating  to  the  adequacy  of  general 
and  application  controls.  Computers  should 
also  be  considered  in  fulfilling  audit  respon¬ 
sibilities  to  review  for  efficient,  effective, 
and  economical  operations. 

— Determine  the  staff  and  skills  needed  to  meet 
computer  audit  responsibilities,  and  consider 
alternatives  for  developing  and  sustaining 
these  capabilities. 

— Periodically  review  audit  coverage  of  computer 
systems  and  adjust  allocations  of  staff  re¬ 
sources  accordingly. 

— Establish  a  basic  level  of  computer  knowledge 
which  all  audit  staff  must  attain.  Auditors 
may  reach  this  basic  level  either  through 
their  own  educational  programs  or  by  training 
during  their  employment. 

In  addition,  GAO  recommends  that  the  Office  of 
Management  and  Budget  play  a  more  active  role 
in  monitoring  agencies'  progress  in  developing 
and  maintaining  their  computer  audit  capabili¬ 
ties  and  provide  guidance  as  appropriate,  ad¬ 
dressing  internal  audit  evaluation  of  computer- 
related  controls. 

AGENCY  COMMENTS 

Eighteen  of  the  nineteen  agencies  reviewed  pro¬ 
vided  comments  to  the  report  and  generally  agreed 
with  recommendations.  Several  included  informa¬ 
tion  on  specific  actions  taken  to  help  provide 
adequate  audit  coverage  for  their  agencies’  com¬ 
puter  operations.  The  Office  of  Management  and 
Budget  also  commented  and  agreed  on  the  impor¬ 
tance  of  proper  attention  to  computer  auditing. 
(See  pp.  23  and  24 . ) 


iv 


I 


t 


r 


DIGEST 

CHAPTER 

1 


2 


3 


Contents 


Page 

i 


INTRODUCTION  1 

How  has  the  computer  affected 

auditors'  responsibilities?  1 

GAO  reports  recommend  computer 

audit  involvement  2 

GAO  provides  audit  standards  and 
guidance  for  Federal  computer 
audits  3 

Objective,  scope,  and  methodology  5 

MANY  FEDERAL  AUDIT  ORGANIZATIONS 
HAVE  NOT  MET  COMPUTER  AUDIT 

RESPONSIBILITIES  7 

Some  have  not  considered  total  agency 
computer  operations  in  providing 
audit  coverage  7 

Agency  compliance  with  GAO  computer 

audit  standards  is  limited  8 

Management  commitment  is  needed  to 

provide  computer  audit  capabilities  13 

Staffing  restrictions  may  call 
for  increased  computer  training 
for  existing  staff  14 

Formal  training  programs  are  needed 
to  provide  computer  audit 

skills  15 

GROWING  CONCERN  FOR  PROPER 

COMPUTER-RELATED  CONTROLS  REQUIRES 

GREATER  EMPHASIS  BY  FEDERAL  INTERNAL 

AUDIT  ORGANIZATIONS  17 

Continuing  computer  crime  demands 

proper  computer-related  controls  17 

Congress  supports  adequate  internal 

control  systems  18 

Public  accounting  firms  emphasize 
evaluation  of  computer-related 
controls  19 

Federal  audit  policy  does  not 
emphasize  computer-related 

controls  19 


I 


t 


CHAPTER 


Page 


4  CONCLUSIONS  AND  RECOMMENDATIONS  21 

Conclusions  21 

Recommendations  22 

Agency  comments  23 

APPENDIX 

I  Inspector  general  and  internal  audit 

organizations  contacted  during  review  25 

II  Number  of  computer  systems  and  related 

central  processing  units  for  agencies 
contacted  during  this  review  at 

September  30,  1980  26 

III  Additional  inspector  general  and  internal 

audit  organizations  providing  information 

for  this  review  27 

IV  Responses  of  audit  organizations  to  selected 

items  of  review  questionnaire  28 

V  Summary  of  additional  GAO  audit  standards 

for  auditing  computer-based  systems  32 

VI  Agency  responses  41 

Office  of  Management  and  Budget  41 

Department  of  Agriculture  43 

Department  of  Health  and  Human  Services  45 

Department  of  Education  49 

Department  of  Housing  and  Urban 

Development  51 

Department  of  Labor  53 

Department  of  Transportation  57 

General  Services  Administration  61 

National  Aeronautics  and  Space 

Administration  62 

Veterans  Administration  64 

Department  of  the  Treasury  67 

Comptroller  of  the  Currency  69 

Department  of  Energy  70 

Department  of  Commerce  72 

Federal  Home  Loan  Bank  Board  75 

U.S.  Postal  Service  77 


ABBREVIATIONS 

AAA  Army  Audit  Agency 

ADP  automatic  data  processing 


I 


AFAA 


AICPA 

EDP 

GAO 

GSA 

NAS 

OMB 


Air  Force  Audit  Agency 

American  Institute  of  Certified  Public  Accountants 

electronic  data  processing 

General  Accounting  Office 

General  Services  Administration 

Naval  Audit  Service 

Office  of  Management  and  Budget 


CHAPTER  1 


INTRODUCTION 

Growing  information  needs  and  continued  improvements  in  com¬ 
puter  performance-price  ratios  have  spread  computer  technology 
throughout  business  and  government.  Although  the  computer  can 
satisfy  many  information  demands  and  increase  productivity,  it  can 
also  be  a  source  of  error,  fraud,  waste,  and  abuse.  This  increases 
auditors'  responsibilities  to  help  assure  management  that 

— computer  systems  and  their  controls  are  designed  and  opera¬ 
ting  properly  so  as  to  safeguard  assets;  minimize  opportuni¬ 
ties  for  misuse;  and  provide  accurate,  timely,  and  reliable 
information;  and 

— computer  resources  are  used  efficiently,  effectively,  and 
economically. 

Computers  represent  not  only  significant  investments  and  ex¬ 
penditures;  they  also  control  access  to  much  of  an  organization's 
assets  and  information  resources.  In  th**  Federal  Government,  total 
costs  for  computer  resources  currently  exceed  $15  billion  annually. 
According  to  inventories  reported  by  the  General  Services  Adminis¬ 
tration  (GSA) ,  the  number  of  computers  used  by  the  Federal  Govern¬ 
ment  has  grown  from  11,124  at  the  end  of  fiscal  1977  to  14,333  at 
the  end  of  fiscal  1979,  and  is  expected  to  expand  to  over  18,000 
through  fiscal  1981.  These  computers  control  vast  amounts  of 
assets  and  information  resources.  -«*For  example,  in  fiscal  1979, 
the  computer-based  system  for  the  Social  Security  Administration's 
Retirement  and  Survivors  Insurance  and  Disability  Insurance  pro¬ 
grams  paid  benefits  of  $87.6  bjjLlion  to  30.1  million  retirement 
and  survivors  insurance  beneficiaries  and  $13.4  billion  in  benefits 
to  4.8  million  disability  insurance  recipients.  The  magnitude  and 
growth  of  Federal  resources  represented  and  controlled  by  the  com¬ 
puter  should  compel  Government  agencies  to  increase  computer  au¬ 
diting. 

This  report  shows  the  status  of  computer  auditing  in  Federal 
internal  audit  organizations,  alerts  such  organizations  to  the  in¬ 
creasing  need  and  requirements  for  computer  auditing,  and  provides 
guidance  on  establishing  the  capabilities  necessary  for  proper 
audit  coverage  of  agencies'  computer  operations. 

HOW  HAS  THE  COMPUTER  AFFECTED 
AUDITORS'  RESPONSIBILITIES? 


Use  of  the  computer  to  automate  an  organization's  data  proc¬ 
essing  has  added  another  dimension  to  auditors'  responsibilities. 
Traditional  audit  approaches  for  evaluating  the  controls  over  man¬ 
ual  data  processing  systems  may  no  longer  be  appropriate  for  au¬ 
diting  automatic  data  processing  (ADP)  systems.  In  addition,  au¬ 
ditors  must  also  consider  the  impact  of  the  computer  in  reviewing 
the  overall  efficiency,  effectiveness,  and  economy  of  agency  opera¬ 
tions. 


Computers  require  a  specialized  look  at  the  system  of  internal 
control  to  ensure  accurate,  reliable  data  and  adequate  safeguards 
for  moneys,  property,  and  other  assets.  A  computer-based  data 
processing  system  consists  of  the  computer  hardware  and  programs 
it  uses,  as  well  as  the  organizations  and  procedures — some  of  them 
manual — for  preparing  data  input  to  the  computer  and  for  using  its 
data  output.  For  years,  some  auditors  succeeded  in  auditing  around 
processing  controls  contained  in  computer  hardware  and  programs  by 
comparing  input  material  with  computer  output  and  manually  verify¬ 
ing  computations.  However,  (1)  the  increasing  number  of  computer 
uses,  (2)  the  volume  and  complexity  of  computer  computations,  and 
(3)  the  trend  toward  online  transaction  systems  with  frequent  elimi¬ 
nation  of  traditional  paper  input,  all  demand  that  auditors  now 
be  able  to  audit  the  computer  itself. 

Computers  also  affect  auditors'  responsibilities  to  review 
for  efficient,  effective,  and  economical  operations.  Auditors 
should  consider  in  their  work  such  factors  as  (1)  proper  computer 
system  design,  (2)  propriety  of  decisions  to  lease  or  purchase 
computers,  and  (3)  user  satisfaction  with  computer-generated  data. 

For  government  audits,  the  Comptroller  General  of  the  United 
States  has  issued  specific  standards  for  auditing  computer-based 
systems.  (See  p.  3.)  In  addition,  GAO  has  published  audit  guides 
to  help  the  auditor  evaluate  the  controls  of  computer-based  sys¬ 
tems.  The  guides  include  "Audit  Guide  for  Reliability  Assessment 
of  Controls  in  Computerized  Systems  (Financial  Statement  Audits)," 
May  1978,  "Assessing  Reliability  of  Computer  Output,"  June  1981, 
and  "Evaluating  Internal  Controls  in  Computer-Based  Systems," 

June  1981. 

Other  professional  audit  authorities  have  also  provided  stand¬ 
ards  and  guidance  stressing  auditors'  computer  audit  responsibili¬ 
ties.  The  American  Institute  of  Certified  Public  Accountants 
( AICPA)  issued  a  statement  on  auditing  standards  which  addresses 
the  effect  of  the  computer  on  the  independent  accountant’s  evalua¬ 
tion  of  internal  accounting  controls.  Other  auditor  guidance  in¬ 
cludes  the  "Systems  Auditability  &  Control  Study"  prepared  for  the 
Institute  of  Internal  Auditors,  Inc.  and  "Control  Objectives  1980” 
and  "Certified  Information  Systems  Auditors  Study  Guide,  January 
1981"  by  the  EDP  (electronic  data  processing)  Auditors  Foundation 
for  Education  and  Research. 

GAO  REPORTS  RECOMMEND 
COMPUTER  AUDIT  INVOLVEMENT 

Several  GAO  reports  have  expressed  our  concern  for  adequate 
computer  audit  coverage  throughout  Government.  Two  such  reports 
recommended  greater  computer  audit  involvement  by  internal  audit 
groups — one  to  improve  automated  decisionmaking  by  computers  and 


2 


/ 


I 


the  other  to  help  prevent  computer-related  crime.  1/  A  third  re¬ 
port,  "Computer  Auditing  in  the  Executive  Departments:  Not  Enough 
Is  Being  Done,"  recommended  actions  Federal  internal  audit  groups 
should  take  for  a  proper  and  effective  response  to  computer  audit¬ 
ing  needs.  2/  This  report  recommended  that  internal  audit  groups 
study  the  effect  of  ADP  on  their  agencies'  operations  to  determine 
the  extent  to  which  computer  activities  need  auditing.  It  also 
recommended  that  these  groups  determine  the  availability  of  compu¬ 
ter  audit  staff,  and  develop  or  acquire  staff  with  the  necessary 
skills  to  provide  adequate  computer  audit  coverage. 

Recent  GAO  reports  indicate  areas  where  computer  audit  work 
can  contribute  to  more  effective,  efficient,  and  economical  opera¬ 
tions.  For  example,  the  report  "Continued  Use  of  Costly,  Outmoded 
Computers  in  Federal  Agencies  Can  Be  Avoided"  showed  that  certain 
agencies  have  not  recognized  the  costs  and  problems  of  continuing 
to  use  outmoded  computers.  3/  This  report  noted  that  annual  sav¬ 
ings  of  $1.4  million  are  attainable  at  four  Federal  computer  facili 
ties  by  replacing  older  equipment,  and  that  hundreds  of  Federal 
computer  facilities  have  similar  old  equipment.  This  report  sug¬ 
gests  that  auditors  have  a  role  to  play  in  verifying  the  possibil¬ 
ity  of  such  savings. 

GAO  PROVIDES  AUDIT  STANDARDS  AND  GUIDANCE 
FOR  FEDERAL  COMPUTER  AUDITS 


Audit  standards  issued  by  the  Comptroller  General  of  the 
United  States  provide  guidance  for  computer  auditing  by  government 
auditors.  Specified  computer  audit  standards  define  the  degree 
and  type  of  computer  auditing  necessary  to  help  ensure  that 
computer-based  systems  are  properly  controlled.  Federal  auditors, 
in  particular,  must  consider  the  objectives  of  these  standards  in 
fulfilling  their  professional  audit  responsibilities. 

We  recognized  a  need  for  specific  computer  audit  standards 
through  a  1977  workshop  on  computer  security  sponsored  jointly  by 
the  National  Bureau  of  Standards  and  GAO.  As  a  result  of  this  work 
shop  report,  £/  the  Comptroller  General  in  1979  issued  additional 
standards  for  auditing  computer-based  systems.  These  standards 


^/"Improvements  Needed  In  Managing  Automated  Decisionmaking  By  Com¬ 
puter  Throughout  the  Federal  Government"  (FGMSD-76-5,  Apr.  23, 
1976)  and  "Computer-Related  Crimes  In  Federal  Programs" 

( FGMSD-76-27 ,  Apr.  27,  1976),  respectively. 

2/FGMSD-77-82,  Sept.  28,  1977. 

3/AFMD-81-9 ,  Dec.  15,  1980. 

4/"Audit  and  Evaluation  of  Computer  Security"  (NBS  Special  Publi¬ 
cation  500-19,  Oct.  1977.) 


3 


became  effective  January  1,  1980,  and  supplement  our  basic  docu¬ 
ment  "Standards  For  Audit  of  Governmental  Organizations,  Programs, 
Activities  and  Functions." 

In  early  1981,  we  incorporated  and  issued  these  supplemental 
standards  in  our  revised  basic  document.  The  standards  state  that 
the  auditor  shall: 

1.  Review  general  controls  in  data  processing  systems  to  de¬ 
termine  that  (a)  controls  have  been  designed  according 

to  management  direction  and  legal  requirements,  and  (b) 
such  controls  are  operating  effectively  to  provide  reli¬ 
ability  of,  and  security  over,  the  data  being  processed. 

2.  Review  application  controls  of  installed  data  processing 
applications  upon  which  the  auditor  is  relying  to  assess 
their  reliability  in  processing  data  in  a  timely,  accu¬ 
rate,  and  complete  manner. 

In  general,  the  standards  call  for  the  auditor  to  evaluate 
the  general  controls  of  computer-based  systems  and  the  controls 
of  computer  applications  (data,  computer  program(s),  and  associa¬ 
ted  manual  activities  designed  to  perform  a  specific  job  such  as 
payroll  computation,  inventory  control,  or  accounting).  General 
controls  normally  pertain  to  all  data  processing  done  at  an  instal¬ 
lation  and  include  controls  such  as  separation  of  employee  duties; 
transaction  authorization  and  approval  procedures;  security  of  com¬ 
puter  hardware,  computer  programs,  data  files,  and  personnel;  provi¬ 
sions  for  continued  processing  of  critical  applications  during  an 
emergency;  and  so  forth.  Application  controls  are  those  that  may 
vary  among  applications,  such  as  processing  controls  to  check  for 
unreasonable  data  items  or  data  that  exceeds  certain  preestablished 
limits  for  the  applications  involved. 

We  and  other  audit  authorities,  such  as  the  Institute  of  In¬ 
ternal  Auditors  and  the  EDP  Auditors  Foundation  for  Education  and 
Research,  believe  that  the  audit  function  should  include  auditor 
participation  in  reviewing  the  design,  development,  and  significant 
modification  of  data  processing  systems  and  applications.  1/  This 
participation  helps  ensure  that  the  systems  or  applications  contain 
adequate  controls  and  appropriate  audit  trails,  that  is,  the  means 
to  identify  and  trace  transactions.  However,  we  recognize  that 
such  participation  is  not  always  possible  because  of  the  high  level 
of  computer  knowledge  required  or  limited  computer  audit  staff. 

For  this  reason,  we  have  included  this  matter  in  our  revised  stand¬ 
ards  as  a  goal  or  objective  for  future  audit  activities.  A  more 


1/A  1980  International  Business  Machines  publication  for  improving 
control  of  information  systems,  "Staying  In  Charge,"  notes  that 
"Auditors  should,  of  course,  influence  the  design  of  any  control 
system  and  procedures  for  managing  the  flow  of  information." 


4 


detailed  discussion  of  this  objective  and  the  computer  audit  stand¬ 
ards  is  presented  in  appendix  V. 

Federal  audit  organizations’  compliance  with  the  objectives 
of  the  GAO  audit  standards  can  help  provide  assurance  to  agency 
management  that  computer  systems  and  their  controls  properly  safe¬ 
guard  assets  and  provide  accurate,  timely,  and  reliable  informa¬ 
tion.  In  addition,  the  Office  of  Management  and  Budget  (OMB) 
prescribes  the  GAO  government  audit  standards  as  the  basic  criteria 
for  audit  coverage  and  operations  by  executive  departments  and 
agencies.  The  Inspector  General  Act  of  1978  (5  U.S.C.  app.)  also 
requires  compliance  with  these  standards  by  the  inspector  general 
organizations  the  act  created.  In  chapter  2,  we  discuss  the  extent 
of  Federal  audit  organization  compliance  with  the  computer  audit 
standards . 

OBJECTIVE,  SCOPE,  AND  METHODOLOGY 

The  objective  of  this  review  was  to  study  the  progress  of 
executive  departments  and  agencies  in  developing  and  strengthen¬ 
ing  their  computer  audit  capabilities.  The  review  is  a  followup 
to  recommendations  in  our  earlier  reports  as  mentioned  above,  and 
also  addresses  the  extent  of  agency  compliance  with  the  GAO  stand¬ 
ards  for  auditing  computer-based  systems. 

We  reviewed  the  computer  audit  activities  of  19  Federal  in¬ 
spector  general  and  internal  audit  organizations  (see  app.  I)  for 
the  period  October  1,  1977,  to  June  30,  1980.  These  include  the 
12  internal  audit  groups  reviewed  in  our  1977  report  plus  7  addi¬ 
tional  audit  organizations  selected  for  this  review.  The  depart¬ 
ments  and  agencies  represented  by  these  organizations  (excluding 
the  U.S.  Postal  Service)  accounted  for  over  90  percent  of  the  Fed¬ 
eral  computer  inventory  as  of  September  30,  1980.  (See  app.  II.) 

Other  Federal  audit  organizations  and  the  public  accounting 
sector  also  provided  information  for  this  review.  We  wrote  to  an 
additional  33  Federal  audit  organizations,  essentially  all  those 
remaining  in  GAO's  "Directory  of  Federal  Audit  and  Inspector  Gen¬ 
eral  Organizations."  Sixteen  of  these  organizations  responded  and 
provided  narrative  information  on  their  progress  in  computer  audit¬ 
ing.  (See  app.  III.)  We  also  visited  three  large  certified  pub¬ 
lic  accounting  firms  to  learn  their  approaches  to  and  achievements 
in  computer  auditing.  These  firms  were  Arthur  Andersen  &  Co., 
Coopers  &  Lybrand,  and  Ernst  &  Whinney. 

As  our  definition  of  computer  auditing  in  this  review,  we  used 
the  auditor's  responsibilities  to  review  computer-related  controls 
as  prescribed  by  the  GAO  standards  for  auditing  computer-based  sys¬ 
tems.  (See  app.  V.)  This  definition  focuses  on  auditing  the  com¬ 
puter  itself  as  opposed  to  using  the  computer  solely  as  an  audit 
tool  in  selecting  samples  or  analyzing  data  in  computer  information 
bases . 


For  this  review  we  selected  primarily  those  organizations 
whose  departments  or  agencies  represent  significant  portions  of 
the  Federal  computer  inventory.  However,  some  agencies  were  in¬ 
cluded  to  help  provide  a  cross-section  of  Government  activities 
and  programs  that  receive  internal  audit  coverage.  For  example, 
we  selected  both  the  Comptroller  of  the  Currency  and  the  Federal 
Home  Loan  Bank  Board  to  represent  the  Government's  financial  in¬ 
stitution  regulatory  activities. 

To  determine  the  extent  of  computer  auditing  by  the  19  audit 
organizations,  we  reviewed  their  planning  documents,  audit  plans, 
computer  audit  reports,  audit  guidance,  training  records,  and 
other  related  documents.  We  also  interviewed  senior  managers  of 
these  organizations,  including  inspectors  general,  to  ascertain 
their  management  philosophies  and  approaches  to  providing  compu¬ 
ter  audit  coverage  for  their  respective  agencies.  To  aid  in  ob¬ 
taining  comparative  information,  these  managers  also  completed  a 
GAO-developed  questionnaire  on  their  organizations'  computer  audit 
responsibilities  and  activities.  We  analyzed  the  information  ob¬ 
tained  and  present  in  this  report  what  we  judge  to  be  an  accurate 
portrayal  of  the  status  of  computer  auditing  in  the  executive  de¬ 
partments  and  agencies. 


6 


I 


I 


CHAPTER  2 


MANY  FEDERAL  AUDIT  ORGANIZATIONS 
HAVE  NOT  MET  COMPUTER  AUDIT  RESPONSIBILITIES 


Our  review  of  19  Federal  inspector  general  and  internal  audit 
organizations  showed  that  since  our  1977  report,  many  of  these  or¬ 
ganizations  have  not  met  audit  responsibilities  for  their  agencies’ 
computer  operations.  For  example,  nine  of  the  organizations  we 
visited  had  limited,  outdated,  or  no  inventories  of  their  agencies' 
computer  systems  to  aid  in  planning  audit  coverage.  In  addition, 

16  of  the  19  organizations  acknowledged  that  their  computer  audit 
staffs  and  audit  time  were  not  adequate  to  meet  computer  audit  re¬ 
sponsibilities  for  their  agencies. 

As  a  result  of  these  inadequacies,  we  found  only  limited  com¬ 
pliance  with  our  standards  for  auditing  computer-based  systems. 

Our  review  did  indicate  signs  of  progress,  including  actions  to 
implement  the  GAO  computer  audit  standards  and  examples  of  effec¬ 
tive  computer  audit  work;  however,  only  7  of  the  19  organizations 
visited  had  conducted  or  scheduled  computer  audits  meeting  the  ob¬ 
jectives  of  the  standards. 

In  some  cases  lack  of  management  support  for  computer  audit¬ 
ing  had  restricted  development  of  computer  audit  staff  and  skills. 
Personnel  ceilings  and  Federal  hiring  restrictions  also  had  hin¬ 
dered  organizations  in  their  attempts  to  acquire  skilled  staff. 

In  addition,  we  observed  that  many  organizations  did  not  have  for¬ 
mal  training  programs  to  help  develop  and  maintain  the  computer 
audit  skills  of  existing  staff. 

SOME  HAVE  NOT  CONSIDERED 

TOTAL  AGENCY  COMPUTER  OPERATIONS 

IN  PROVIDING  AUDIT  COVERAGE 

Most  organizations  we  reviewed  are  including  some  computer 
audit  work  in  their  audit  plans  by  considering  such  factors  as 
cost  of  computer  equipment,  operating  cost  of  a  computer  system, 
number  of  system  locations,  known  or  expected  problems,  or  vulner¬ 
ability  of  a  system  to  fraud,  waste,  or  abuse.  However,  some  did 
not  consider  all  agency  computer  operations  in  planning  and  select¬ 
ing  their  audits.  For  example,  five  organizations  had  not  devel¬ 
oped  or  otherwise  obtained  inventories  of  agency  computer  systems 
to  use  in  planning  audit  coverage,  and  four  others  had  limited  or 
outdated  inventories.  Without  knowledge  of  their  agency's  total 
computer  operations,  these  audit  organizations  cannot  be  sure  that 
they  provide  appropriate  and  effective  audit  coverage. 

A  good  plan  for  internal  audit  should  include  identifying  all 
agency  programs  and  operations  subject  to  audit — the  audit  universe 
Our  1977  report  recommended  that  agency  internal  audit  groups  deter 
mine  the  extent  of  computer  auditing  necessary  for  their  agencies. 


7 


r 


identifying  the  computer  audit  universe  is  an  essential  first  step 
in  making  this  determination. 

The  computer  audit  universe  may  be  represented  by  inventories 
of  existing  agency  computer  systems,  but  inventories  alone  may  not 
indicate  all  areas  of  computer  operations  that  organizations  must 
consider.  Information  on  areas  such  as  systems  being  designed  and 
developed  or  planned  equipment  acquisitions  should  also  be  obtained 
This  may  require  closer  coordination  with  the  agency's  data  proc¬ 
essing  element.  For  example,  at  the  General  Services  Administra¬ 
tion  the  Office  of  Inspector  General  is  to  be  routinely  notified 
of  all  planned  GSA  system  design  and  development  projects  for  pos¬ 
sible  audit  participation.  Several  other  audit  organizations  had 
no  such  arrangements,  which  increased  the  difficulty  of  identify¬ 
ing  computer  audit  areas  for  their  agencies. 

Federal  departments  and  agencies  receive  general  direction 
from  the  Office  of  Management  and  Budget  to  guide  audit  organiza¬ 
tions  in  providing  adequate  internal  audit  coverage.  1/  While  not 
specifically  addressing  computer  auditing,  this  guidance  requires 
an  audit  organization  to  identify  the  audit  universe  for  its  agency 
It  also  provides  general  factors  or  priorities  to  consider  in  se¬ 
lecting  candidates  for  audit  from  the  audit  universe.  Candidates 
are  also  indicated  by  additional  OMB  guidance,  such  as  requirements 
for  Federal  agencies  to  audit  or  evaluate  the  security  safeguards 
for  sensitive  computer  systems,  that  is,  systems  that  process  per¬ 
sonal,  proprietary,  or  other  sensitive  data  or  those  with  a  high 
potential  for  financial  loss.  2/ 

AGENCY  COMPLIANCE  WITH  GAO 
COMPUTER  AUDIT  STANDARDS  IS  LIMITED 


Some  audit  organizations  we  reviewed  were  in  partial  compli¬ 
ance  with  the  GAO  computer  audit  standards  in  that  they  have  con¬ 
ducted  or  scheduled  some  computer  audits  that  address  general  and 
application  controls.  Some  have  also  conducted  or  scheduled  au¬ 
dits  of  developmental  systems  or  applications.  However,  of  19 
organizations  visited,  16  acknowledged  that  computer  audit  time 
and  staff  were  not  adequate  for  their  computer  audit  responsibili¬ 
ties,  particularly  those  concerning  review  of  system  design  and 
development.  Moreover,  of  these  16  organizations,  6  (including 
the  Office  of  Inspector  General  for  the  newly  created  Department 
of  Education)  have  lost  or  have  yet  to  develop  the  computer  audit 
capability  of  their  staff.  These  six  organizations  have  plans  to 
upgrade  their  capabilities,  but  at  the  time  of  our  review  their 
compliance  with  any  of  the  standards  was  extremely  limited  and  in 
some  cases  nonexistent. 


1/OMB  Circular  No.  A-73  (Revised),  Mar.  15,  1978. 

2/OMB  Circular  No.  A-71,  Transmittal  Memorandum  No.  1,  July  27, 
1978. 

8 


/ 


t 


On  a  more  positive  note,  we  did  find  that  several  organiza¬ 
tions  were  acting  to  actively  implement  the  standards  in  their 
internal  audit  operations.  We  also  found  several  excellent  ex¬ 
amples  of  effective  computer  auditing. 

Agencies  lack  computer  audit 
capabilities  for  full  compliance 

Our  review  disclosed  that  only  about  7  of  19  audit  organiza¬ 
tions  reviewed  had  past  audit  reports,  current  audits,  and  scheduled 
future  audits  addressing  the  basic  objectives  of  the  GAO  computer 
audit  standards.  For  example,  one  of  these  seven,  the  Office  of 
Inspector  General  for  the  Department  of  Agriculture,  reviews  com¬ 
puter 


— general  controls  in  periodic  audits  of  the  Department's  four 
computer  centers  and  in  other  program  audits,  particularly 
ADP  security; 

— application  controls  usually  as  segments  of  non-ADP  audits; 
and 

— design  and  development  activities  through  its  "systems  moni¬ 
toring"  audit  work,  which  attempts  to  review  all  computer- 
related  controls  of  a  developmental  system. 

However,  many  of  these  seven  still  do  not  have  the  computer  audit 
capability  they  need.  The  remaining  12  have  even  less  computer 
audit  capability;  6  have  essentially  none. 

Five  of  the  seven  agencies  in  partial  compliance  with  the 
audit  standards  admit  they  have  less  computer  audit  capabilities 
than  they  need.  For  example,  the  Air  Force  Audit  Agency  (AFAA) 
has  scheduled  and  performed  computer  audits  which  address  the  ob¬ 
jectives  of  both  computer  audit  standards  and  the  design  and  devel¬ 
opment  audit  goal.  From  October  1,  1977,  to  June  30,  1980,  AFAA 
began  42  separate  computer  audits,  completed  28  of  these,  and  spent 
a  total  of  5,781  staff  days  on  this  work.  Also,  as  of  June  30, 

1980,  the  AFAA  had  about  777  professional  staff,  116  of  whom  were 
considered  to  be  computer  audit  "generalists" — that  is,  auditors 
and  managers  with  some  advanced  or  specialized  computer  training. 
Despite  this  obvious  computer  audit  activity,  AFAA  officials  feel 
that  computer  audit  time  and  number  of  available  computer  auditors 
are  less  than  needed  for  the  Air  Force's  some  1,600  most  signifi¬ 
cant  computer  systems.  AFAA  officials  specifically  note  less  than 
adequate  capabilities  in  the  areas  of  computer  application  controls, 
computer  security,  and  system  design  and  development. 

During  our  review,  we  noted  six  audit  organizations  that  did 
not  even  approach  compliance  with  the  computer  audit  standards. 

In  some  cases,  computer  audit  staff  had  been  lost  and  not  replaced. 
In  other  cases,  initial  computer  audit  staffs  were  just  being  de¬ 
veloped  . 


9 


A 


As  late  as  November  1979,  one  of  these  organizations  had 
seven  computer  specialists,  but  only  two  remained  at  the  time  of 
our  review.  Before  the  loss  in  personnel,  this  organization's 
computer  audit  work  basically  conformed  with  the  computer  audit 
standards.  However,  with  a  staff  of  only  two  the  group  could  not 
perform  most  of  its  scheduled  computer  audits  for  fiscal  1980. 

This  organization's  future  compliance  with  the  GAO  computer  audit 
standards  may  depend  entirely  on  the  success  of  its  ongoing  re¬ 
cruiting  efforts  to  restaff  the  computer  audit  group.  Although 
the  other  five  organizations  had  very  limited  or  no  computer  audit 
capabilities,  by  the  end  of  our  review  each  was  recruiting  or 
training  staff  to  regain  or  establish  this  capability. 

The  most  common  weakness  in  the  19  organizations  we  talked  to 
was  a  lack  of  capability  to  review  the  design  and  development  of 
new  computer  systems  and  applications.  These  organizations  gener¬ 
ally  lacked  the  level  of  technical  knowledge  needed  to  do  these 
audits  properly.  However,  participating  in  reviews  of  system  de¬ 
sign  and  development  should  remain  an  auditing  goal. 

Some  audit  organizations  have  acted 
to  implement  the  GAO  computer  audit  standards 

During  our  review,  we  noted  that  several  audit  organizations 
had  acted  to  define  or  to  organize  their  computer  audit  operations 
specifically  around  the  requirements  and  objectives  of  the  GAO 
computer  audit  standards.  These  actions  include  participating  in 
the  computer  system  design  and  development  process  and  using  the 
standards  to  structure  computer  audit  policy  and  audit  guidelines 
and  programs. 

Some  of  these  positive  actions  to  implement  the  standards  are 
described  below.  They  may  provide  useful  guidance  for  other  orga¬ 
nizations  wanting  to  establish  or  direct  their  own  computer  audit 
activities. 

Army  auditors  increase  involvement 

during  design  and  development  stage 

The  Army  Audit  Agency  (AAA)  used  objectives  of  the  GAO  com¬ 
puter  audit  standards  to  justify  increased  involvement  in  computer 
system  design  and  development.  This  reversed  an  earlier  AAA  de¬ 
cision  to  decrease  such  involvement. 

In  1972,  AAA  officials  limited  auditor  participation  in  the 
design  and  development  of  data  processing  systems,  setting  the 
policy  that  the  AAA  would  no  longer  monitor  selected  developmen¬ 
tal  systems  from  inception  through  Army  approval  as  operational. 
Instead  the  AAA  would  essentially  participate  only  in  testing  of 
selected  developmental  systems  just  prior  to  the  systems  becoming 
operational.  However,  given  our  position  on  auditor  participa¬ 
tion  in  reviewing  computer  systems  and  applications  during  their 
design  and  development,  AAA  reversed  this  policy.  It  will  now 


10 


1 


I 


I 


perform  selected  reviews  of  systems  during  design  and  development 
to  determine  the  adequacy  of  internal  controls  being  designed  into 
the  system,  and  to  determine  management  effectiveness  for  the  sys¬ 
tem  development  effort. 

In  addition,  an  AAA  official  has  conducted  classes  for  mem¬ 
bers  of  the  Army  Computer  Systems  Command  involved  in  the  system 
design  and  development  process.  These  classes  provide  the  au¬ 
ditor's  perspective  on  the  purpose  of  and  need  for  designing  in¬ 
ternal  controls  and  au^t  trails  into  data  processing  systems. 

Audit  organizat i^ns  use  GAO  standards 

to  organize  computer  audit  guidance 

Several  organi  ?Sit.v  ns  have  incorporated  the  GAO  computer  audit 
standards  into  th^ir  audit  guidance  material.  This  guidance  in¬ 
cludes  audit  guidelines  and  audit  programs  structured  around  the 
standards . 

The  Air  Force  Audit  Agency  is  working  on  a  three-volume  set 
of  audit  guidelines  to  parallel  the  two  computer  audit  standards 
and  the  goal  for  auditor  participation  during  design  and  develop¬ 
ment.  During  our  review,  AFAA  had  completed  one  volume  and  was 
continuing  work  on  the  remaining  two.  The  completed  volume,  "Guide 
lines  for  Audits  of  Operational  Computer  Based  Systems,"  correspond 
to  the  GAO  standard  for  review  of  application  controls.  These  new 
audit  guidelines  give  background  on  each  audit  area,  technical 
skills  needed  to  perform  an  audit,  audit  objectives  and  guidelines, 
and  suggested  audit  steps. 

The  AFAA  guidelines  expand  on  the  "Guidelines  for  Audits  of 
Automatic  Data  Processing"  developed  by  a  Department  of  Defense 
study  panel  for  the  Office  of  the  Assistant  Secretary  of  Defense 
(Comptroller).  The  Defense  guidelines  were  still  in  draft  at  the 
end  of  our  review.  Their  purpose  is  to  improve  computer  audit 
coverage  Department-wide  by  establishing  a  unified  approach  and 
consistent  basis  for  computer  auditing.  They  also  define  the 
auditor's  role  and  establish  criteria  for  education  and  experience 
in  computer  auditing.  They  include  an  appendix  which  categorizes 
each  identified  audit  area  by  the  GAO  computer  audit  standard(s) 
or  audit  goal  it  addresses. 

As  another  example,  the  Naval  Audit  Service  (NAS)  uses  three 
standardized  audit  programs  for  its  computer  audits.  According 
to  NAS  officials,  each  program  generally  corresponds  to  one  of  the 
GAO  computer  audit  standards  and  the  system  design  and  development 
goal.  These  audit  programs  contain  detailed  audit  steps  which  the 
auditor  tailors  to  the  needs  of  the  particular  audit. 

Some  agencies  perform  effective 
computer  audits 

During  our  review,  we  noted  several  examples  of  effective 
computer  auditing  which  resulted  in  savings  and  program  improve¬ 
ments.  Three  such  examples  are  provided  below. 


11 


General  Services  Administration 


In  early  1979,  auditors  with  GSA's  Office  of  Inspector  General 
began  participating  in  a  GSA  computer  system  development  project 
called  the  "Credit  Card  Accounting  and  Reporting  System."  The 
auditors'  participation  was  to  ensure  that  those  developing  the 
system  adequately  considered  its  documentation,  auditability,  and 
internal  controls.  A  major  objective  was  to  control  the  use,  mis¬ 
use,  and  abuse  of  the  U.S.  Government  National  Credit  Card  (Stand¬ 
ard  Form  149),  used  for  interagency  motor  pool  purchases. 

During  their  preliminary  review,  GSA  auditors  found  the  sys¬ 
tem  could  meet  some  of  its  objectives,  but  not  a  major  one:  to 
control  fraudulent  use  and  abuse  of  valid  credit  cards.  This  weak¬ 
ness  was  due  primarily  to  GSA's  inability  to  successfully  negotiate 
for  necessary  oil  company  data  on  Government  purchases.  Such  in¬ 
formation  was  necessary  to  develop  the  data  base  for  many  planned 
reports.  From  their  preliminary  review,  the  auditors  concluded 
that  other  alternatives  should  be  explored  before  further  develop¬ 
ment  of  the  credit  card  system.  As  a  result,  system  development 
was  suspended  and  it  remained  in  that  status  through  the  end  of 
our  review.  This  suspension  means  that  GSA  will  not  incur  addi¬ 
tional  costs  for  a  computer  system  that  does  not  meet  management's 
objectives.  A  GSA  auditor  indicated  that  estimates  of  costs  avoided 
could  include  a  remaining  $150,000  for  personnel  in  the  develop¬ 
ment  process  and  an  estimated  $193,000  in  annual  operating  costs. 

Army  Audit  Agency 

The  review  of  the  Army's  Project  Vertical  Installation  Auto¬ 
mation  Baseline  is  an  example  of  the  results  of  Army  Audit  Agency 
computer  auditing.  AAA  made  this  review  in  part  to  determine  the 
reasonableness  of  computer  workload  requirements  for  the  project, 
a  10-year  effort  to  upgrade  the  data  processing  capability  at  46 
Army  installations.  The  estimated  cost  for  this  project  exceeds 
$100  million.  In  its  February  1980  report,  AAA  concluded  that  the 
project's  workload  requirements  were  overstated,  which  could  lead 
to  acquiring  too  much  computer  support  for  the  installations.  At 
four  installations  reviewed,  AAA  auditors  found  workload  projec¬ 
tions  overstated  by  17  to  36  percent,  for  a  total  of  238  terminals. 
Based  on  this  finding,  the  Army  substantially  cut  the  number  of 
computer  terminals  required  for  the  46  installations. 

Postal  Inspection  Service 

In  1979,  the  Postal  Inspection  Service  made  a  nationwide  re¬ 
view  of  the  U.S.  Postal  Service's  redesigned  payroll  system.  The 
objectives  included  determining  whether  this  system  properly  exe¬ 
cutes  and  controls  payroll  adjustments,  and  controls  collections 
of  payroll  advances  and  accounts  receivable.  During  this  review, 
postal  inspectors  also  used  many  computer  programs  to  select,  sum¬ 
marize,  and  analyze  payroll  data. 


One  review  finding  showed  the  system  processing  and  paying 
many  duplicate  and  incorrect  adjustments,  and  some  incorrect  pay¬ 
ments  occurring  with  certain  holiday  work  conditions.  Postal  In¬ 
spectors  attributed  these  weaknesses  to  inadequate  or  inoperative 
computer  programming  controls  and  manual  controls,  and  to  a  lack 
of  effective  methods  and  controls  for  recovering  overpayments. 
Postal  inspectors  estimated  the  nationwide  overpayments  resulting 
from  these  control  weaknesses  at  about  $1.75  million.  The  audit 
report  recommended  establishing  uniform  manual  and  automatic  data 
processing  control  methods  to  ensure  detection  and  correction  of 
payroll  errors. 

MANAGEMENT  COMMITMENT  IS  NEEDED 
TO  PROVIDE  COMPUTER  AUDIT  CAPABILITIES 

Our  review  showed  that  changes  in  an  organization's  policies 
or  commitment  for  computer  auditing  sometimes  hindered  the  develop¬ 
ment  or  caused  a  loss  of  computer  audit  staff.  As  the  following 
examples  indicate,  without  proper  management  support  organizations 
cannot  develop  or  maintain  appropriate  staff  and  skills  to  provide 
proper  computer  audit  coverage. 

In  1972,  the  Air  Force  Audit  Agency  revised  its  planning 
policy  to  reduce  the  number  of  computer  audits  and  to  do  more  of 
other  types  of  audit  which  could  provide  more  measurable  savings. 

As  computer  audits  occurred  less  often,  AFAA  auditors  had  less 
time  to  keep  specialized  procedures  current  or  to  develop  new  tech¬ 
niques.  The  revised  audit  policy  coupled  with  personnel  losses  and 
accelerated  technical  changes  in  the  computer  environment  all  con¬ 
tributed  to  a  rapid  decline  during  the  late  1970s  in  AFAA's  ability 
to  audit  complex  Air  Force  computer  systems.  However,  AFAA  manage¬ 
ment  has  adopted  objectives  designed  to  reverse  this  trend  and  en¬ 
hance  computer  audit  skills.  These  objectives  include  identifying 
and  updating  the  computer  audit  inventory,  obtaining  personnel  with 
needed  skills  through  recruiting  or  training,  and  improving  the 
computer  audit  training  program. 

A  few  Federal  agencies  have  lost  much  or  all  of  their  compu¬ 
ter  audit  staff  due  to  attrition  and  have  been  slow  to  rebuild 
these  staffs.  Management  in  these  agencies  simply  lacked  a  com¬ 
mitment  to  computer  auditing.  For  example,  as  discussed  earlier 
in  this  chapter,  one  computer  audit  group  lost  six  of  the  seven 
members  on  board  in  November  1979  and  had  replaced  only  one  by 
August  1980.  Management's  indecisiveness  about  the  role  of  the 
computer  audit  group  within  the  organization  contributed  to  this 
staff  attrition,  which  caused  delay  or  cancellation  of  planned  au¬ 
dit  work.  In  another  case,  a  senior  official  of  the  audit  organi¬ 
zation  judged  computer  auditing  to  be  an  insignificant  area  for 
the  agency  even  though  the  agency's  data  processing  activities  had 
not  been  recently  surveyed.  As  a  result,  organization  officials 
did  not  replace  lost  computer  audit  staff  for  well  over  a  year. 
Again,  planned  audits  had  to  be  canceled. 


13 


In  some  audit  organizations  we  found  that  management  resist¬ 
ance  to  computer  technology  slowed  the  initial  development  of  com¬ 
puter  auditing.  This  resistance  is  being  overcome  and  these  or¬ 
ganizations  now  have  hiring  or  training  programs  to  develop  computer 
auditing  staffs. 

STAFFING  RESTRICTIONS  MAY  CALL  FOR  INCREASED 
COMPUTER  TRAINING  FOR  EXISTING  STAFF 

Hiring  people  with  appropriate  computer  audit  knowledge  and 
experience  is  one  way  for  an  organization  to  acquire  a  qualified 
computer  audit  staff,  but  this  is  not  always  possible.  A  few 
organizations  have  successfully  done  this,  but  others  have  been 
hindered  by  personnel  ceilings,  hiring  freezes,  and  the  like.  In 
such  cases,  managers  must  look  to  existing  staff  to  provide  neces¬ 
sary  computer  audit  skills. 

Many  audit  organizations  we  reviewed  had  plans  to  create  their 
staffs  by  hiring  persons  already  trained  in  computer  auditing  or 
computer  technology.  Some,  like  the  General  Services  Administra¬ 
tion,  have  been  successful.  GSA's  Office  of  Inspector  General 
received  an  increased  personnel  ceiling  and  was  able  to  devote  some 
auditing  positions  exclusively  to  computer  auditing.  At  the  time 
of  our  review,  the  group  had  grown  to  include  eight  auditors,  with 
the  addition  of  four  more  planned — at  least  one  of  whom  will  be  a 
computer  specialist.  However,  subsequent  to  our  review,  GSA  re¬ 
duced  the  planned  additional  staff  to  two  instead  of  four  because 
of  budget  and  staffing  restrictions. 

Some  other  agencies  have  experienced  problems  in  acquiring 
computer  audit  staff.  Our  review  questionnaire  showed  that  of  15 
organizations  indicating  that  computer  audit  time  available  was 
less  than  needed,  7  attributed  this  to  inadequate  staffing  due  to 
personnel  ceilings.  (See  app.  IV.)  Some  of  these  pointed  to  the 
President's  March  14,  1980,  Federal  hiring  limitations  as  hinder¬ 
ing  the  replacement  of  lost  staff.  1/  Two  others  indicated  that, 
regardless  of  personnel  ceilings,  they  could  not  attract  enough 
staff  with  computer  audit  knowledge  and  skill  in  the  foreseeable 
future . 

As  hiring  of  trained  computer  audit  staff  becomes  more  dif¬ 
ficult,  audit  organizations  can  use  existing  staff  to  perform 
computer  audits  if  the  necessary  training  is  provided.  An  appro¬ 
priate  training  program  can  supplement  recruiting  efforts.  For 
example,  AFAA  has  been  unable  to  hire  sufficient  computer-trained 
auditors  and,  as  an  alternative,  is  emphasizing  development  of  its 
computer  audit  training  program  to  provide  the  necessary  audit 
skills . 


1/The  Jan.  21,  1981,  Federal  hiring  freeze  further  restricts  re¬ 
cruitment  by  executive  agencies. 


14 


FORMAL  TRAINING  PROGRAMS  ARE  NEEDED 
TO  PROVIDE  COMPUTER  AUDIT  SKILLS 


Few  organizations  we  reviewed  had  a  formal  training  program 
to  provide  auditors  and  computer  audit  staff  with  the  level  of 
computer  knowledge  necessary  for  their  audit  work.  Professional 
audit  standards  require  that  auditors  have  adequate  knowledge  and 
skills  to  perform  their  work,  and  with  the  growing  dependence  on 
ADP  an  understanding  of  computers  has  become  essential.  A  formal 
training  program  can  help  ensure  that  appropriate  knowledge  and 
skills  are  developed  and  maintained. 

All  auditors  need  basic  computer  knowledge 

No  modern  auditor  can  do  without  a  basic  awareness  of  compu¬ 
ter  technology.  Growing  use  of  the  computer  to  automate  account¬ 
ing  systems  and  provide  management  information  increases  the  like¬ 
lihood  that  auditors  must  use  computer-generated  reports  or  other 
information  and  must  consider  the  impact  of  the  computer  on  their 
audit  work.  However,  during  our  review  we  found  that  only  6  of  19 
organizations  provided  a  basic  level  of  computer  training  for  all 
auditors. 

While  some  aspects  of  computer  auditing  may  require  highly 
specialized  skills,  others  which  use  computer-generated  data  may 
simply  require  an  understanding  of  the  computer  and  its  workings. 
The  auditor  may  need  to  know  what  information  a  computer  system 
can  provide,  the  risk  of  accepting  such  data  as  correct,  and  when 
to  bring  in  additional  technical  audit  assistance  to  determine 
data  accuracy  and  reliability.  In  addition,  computer  knowledge 
aids  the  auditor  in  communicating  with  agency  computer  personnel. 

The  need  for  a  basic  level  of  computer  knowledge  in  govern¬ 
ment  auditing  is  well  recognized.  For  example,  in  January  1979 
the  Federal  Audit  Executives  Council  endorsed  a  training  program 
that  shows  the  types  of  training  desirable  to  develop  and  main¬ 
tain  a  government  auditor's  skills.  The  program  prescribes  basic 
instruction  on  computers  for  all  auditors  who  have  not  received 
such  knowledge  in  their  educational  backgrounds. 

Training  is  essential  to  ensure 

that  computer  audit  staffs  are  qualified 

The  skills  needed  to  sustain  an  audit  organization's  computer 
audit  capabilities  require  continual  training.  Several  organiza¬ 
tions  do  provide  computer  training  programs,  but  the  majority  of 
those  reviewed  do  not  provide  formal  audit  training  opportunities. 
Without  such  training,  the  organization  cannot  ensure  that  adequate 
computer  audit  skills  will  be  available  when  needed. 

Auditors,  computer  specialists,  or  both,  may  provide  the  com¬ 
puter  audit  expertise  needed  by  an  audit  organization.  Qualified 
consultants  may  also  be  used.  However,  when  computer  audit  skills 


15 


come  from  within  the  audit  organization,  training  plays  an  impor¬ 
tant  role.  Depending  on  their  educational  background,  auditors 
may  need  training  in  internal  controls  of  automated  systems,  com¬ 
puter  programming,  data  retrieval,  or  other  computer  skills.  On 
the  other  hand,  computer  specialists  working  for  the  audit  group 
may  require  training  in  basic  auditing  concepts  or  familiarization 
with  an  agency's  computer  hardware  or  software.  In  addition,  both 
auditors  and  computer  specialists  need  continuing  training  to  keep 
up  with  changing  computer  technology  or  changes  to  agency  computer 
systems  and  hardware. 

Some  agencies  or  audit  organizations  have  put  together  their 
own  programs  and  are  now  providing  external  training  at  other  agen¬ 
cy  or  Government  training  facilities,  colleges  and  universities, 
through  seminars,  and  through  correspondence  courses  such  as  those 
offered  by  the  U.S.  Army  Institute  for  Professional  Development. 

For  example,  the  Office  of  Inspector  General  for  the  Department 
of  Health  and  Human  Services  has  a  National  Professional  Develop¬ 
ment  Center.  Although  we  did  not  evaluate  course  content  or  qual¬ 
ity  the  Center's  curriculum  includes  nine  courses  on  auditing  com¬ 
puter  systems  plus  other  courses  on  data  retrieval  techniques. 

The  Interagency  Auditor  Training  Programs  of  the  Graduate 
School,  U.S.  Department  of  Agriculture,  are  one  external  source  of 
computer  training  for  government  auditors.  In  conjunction  with 
the  Office  of  Personnel  Management,  the  Interagency  Auditor  Train¬ 
ing  Programs  offer  specialized  computer  and  computer  audit  train¬ 
ing  for  general  and  computer  auditors.  From  October  1,  1979,  to 
June  30,  1980,  they  provided  computer  training  to  97  Federal  au¬ 
ditors  from  various  agencies.  Other  institutions  also  offer 
training  to  improve  auditors'  computer  knowledge.  These  include: 

— American  Institute  of  Certified  Public  Accountants,  New 
York,  N.Y. 

— Canadian  Institute  of  Chartered  Accountants,  Toronto. 

— Department  of  Defense  Computer  Institute,  Washington,  D.C. 

— EDP  Auditors  Foundation,  Carol  Stream,  Ill. 

— Institute  of  Internal  Auditors,  Altamonte  Springs,  Fla. 

Our  review  noted  that  although  auditors  at  many  audit  organi¬ 
zations  had  received  some  training,  only  7  of  19  organizations  have 
formal  training  programs  to  develop  new  computer  auditors  or  to 
maintain  the  audit  knowledge  and  skill  of  existing  staff.  If  pro¬ 
vided  at  all,  training  at  the  other  12  organizations  was,  in  our 
opinion,  haphazard  and  often  sel f- initiated  by  the  individual  staff 
members . 

As  discussed  earlier  in  this  chapter,  qualified  computer  audit 
staff  cannot  always  be  readily  recruited  and  an  established  computer 
audit  training  program  can  give  an  organization  greater  flexibility 
in  using  existing  staff  to  provide  computer  audit  capabilities. 


16 


/ 


I 


CHAPTER  3 


GROWING  CONCERN  FOR  PROPER  COMPUTER-RELATED  CONTROLS 
REQUIRES  GREATER  EMPHASIS  BY  FEDERAL  INTERNAL 
AUDIT  ORGANIZATIONS 

Concern  for  proper  computer-related  controls  and  their 
evaluation  has  grown  since  our  1977  report.  Audit  standards  and 
guidance  by  the  Comptroller  General  and  other  professional  audit 
authorities  increasingly  emphasize  these  controls.  The  need  is 
demonstrated  by  continuing  incidents  of  computer-related  crime, 
and  is  recognized  in  Federal  legislation  calling  for  proper  inter¬ 
nal  control  systems  in  business  and  government.  Concern  is  also 
evidenced  by  increased  computer  auditing  by  public  accounting 
firms.  But  despite  this  increased  awareness,  our  review  showed 
that  Federal  agencies  generally  do  not  place  high  priority  on  the 
evaluation  of  computer-related  controls  by  internal  audit  groups. 
This  lack  of  emphasis  may  have  contributed  to  the  general  lack  of 
adequate  computer  audit  capability  that  we  observed. 

CONTINUING  COMPUTER  CRIME  DEMANDS 
PROPER  COMPUTER-RELATED  CONTROLS 

Abuse  of  the  computer  to  intentionally  cause  loss  or  to 
achieve  personal  gain  is  a  continuing  problem.  Although  these 
crimes  frequently  cause  losses  of  millions  of  dollars,  crime  ex¬ 
perts  believe  most  computer  crime  goes  unreported  or  undetected. 
Auditors  can  help  minimize  the  risk  of  such  crime  by  helping  to 
ensure  that  adequate  computer-related  controls  are  in  place. 

Computer-related  crimes  cause  concern  because  they  often  in¬ 
volve  millions  of  dollars  and  those  that  are  reported  may  represent 
only  the  tip  of  the  iceberg.  Some  experts  believe  that,  for  fear 
of  adverse  publicity,  only  a  fraction  of  detected  computer  crimes 
are  reported.  We  concur  in  this  view.  Of  reported  crimes,  one  of 
the  largest  due  to  a  single  computer-related  crime  is  the  $185  mil¬ 
lion  loss  in  the  1973  Equity  Funding  Corporation  of  America  scan¬ 
dal.  In  other  reported  computer-related  crimes,  losses  of  over 
$1  million  are  not  unusual. 

Computer  crime  is  also  difficult  to  detect  in  that  victims 
are  often  unaware  that  the  crime  has  been  committed.  For  example, 
the  Equity  Funding  scandal  took  place  over  a  period  of  years  be¬ 
fore  discovery.  In  another  case,  the  Security  Pacific  Bank  of  Los 
Angeles,  California,  was  the  victim  of  a  $10.2  million  computer- 
related  theft  in  1978.  About  a  week  after  the  theft  took  place, 
the  bank  was  still  unaware  the  loss  had  occurred.  Only  after  the 
Federal  Bureau  of  Investigation  contacted  the  bank  about  a  related 
investigation  was  the  loss  discovered.  Considering  both  unreported 
and  undetected  crime,  some  experts  estimate  that  the  annual  na¬ 
tional  loss  due  to  computer  crime  could  range  in  the  hundreds  of 
millions  of  dollars. 


17 


l 


I 


One  of  our  prior  reports,  “Computer-Related  Crimes  in  Federal 
Programs,"  noted  69  computer-related  crimes  or  other  incidents  in 
Federal  programs  which  resulted  in  a  total  loss  of  over  $2  mil¬ 
lion.  1/  In  addition  to  monetary  loss,  some  of  these  crimes  vio¬ 
lated  the  privacy  of  individuals  whose  data  records  were  involved. 
Our  report  further  noted  that  most  cases  examined  were  not  sophis¬ 
ticated  attempts  to  use  computer  technology  for  fraudulent  purposes. 
Instead,  they  involved  uncomplicated  acts  made  easier  by  inadequate 
internal  controls  for  the  systems. 

The  vulnerability  of  the  computer  requires  that  an  assessment 
of  the  internal  controls  be  an  essential  part  of  an  audit.  In  this 
assessment,  the  auditor  must  be  alert  to  situations  or  transactions 
that  may  be  indications  of  fraud,  improper  or  illegal  spending  or 
operations,  or  other  waste  or  inefficiency.  Still,  it  should  be 
remembered  that  the  auditor's  evaluation  is  not  designed  to  give 
absolute  assurance  that  no  such  situations  exist.  The  audit  proc¬ 
ess  is  not  a  substitute  for  adequate  internal  control. 

CONGRESS  SUPPORTS  ADEQUATE 
INTERNAL  CONTROL  SYSTEMS 


Congress  strongly  supports  adequate  systems  of  internal  con¬ 
trol  as  a  means  of  preventing  error,  fraud,  waste,  and  abuse.  Con¬ 
gressional  concern  has  led  to  existing  legislation  as  well  as  pro¬ 
posed  legislation  that  requires  I-  siness  and  Government  managers 
to  devise  and  maintain  adequate  internal  control  systems.  Increas¬ 
ingly,  these  internal  control  systems  include  computer-related 
controls  as  business  and  Government  become  more  dependent  on  the 
computer  to  provide  information  for  management  decisions  and  to 
manage  transactions  affecting  financial  and  information  resources. 
This,  in  turn,  emphasizes  the  auditor's  responsibility  to  consider 
computer-related  controls  as  part  of  the  evaluation  of  internal 
control  systems. 

The  Securities  and  Exchange  Act  of  1934,  as  amended  by  the 
Foreign  Corrupt  Practices  Act  of  1977,  is  one  measure  that  requires 
adequate  internal  control  systems  for  private  companies.  This  law 
requires  that  every  company  issuing  securities  registered  with  the 
Securities  and  Exchange  Commission  have  a  system  of  internal  ac¬ 
counting  controls.  These  controls  should  provide  reasonable  assur¬ 
ance  that  assets  are  safeguarded  and  that  records  accurately  re¬ 
flect  the  transactions  and  disposition  of  these  assets.  Although 
not  adopted  specifically  for  this  law,  the  AICPA's  Statement  on 
Auditing  Standards  Number  20  expresses  the  increasing  concern  for 
adequate  internal  control.  It  requires  the  independent  auditor 
to  inform  a  company's  senior  managers  and  the  board  of  directors 
or  its  audit  committee  of  any  weaknesses  in  internal  accounting 
control.  Implicit  in  the  auditor's  evaluation  of  internal  account¬ 
ing  controls  is  the  evaluation  of  such  controls  in  computer-based 
systems . 


l/FGMSD-76-27 ,  Apr.  27,  1976. 


18 


/ 


I 


Another  effort  to  stress  internal  control  procedures  in  the 
Federal  Government  is  now  before  the  Congress.  Bills  to  amend  the 
Accounting  and  Auditing  Act  of  1950  (31  U.S.C.  65)  would  emphasize 
the  act's  requirements  for  Federal  agencies  to  establish  and  main¬ 
tain  effective  internal  control  systems.  The  proposed  legislation 
would  require  ongoing  evaluations  of  internal  accounting  and  admin¬ 
istrative  control  systems,  and  prompt  correction  of  detected  weak¬ 
nesses.  As  with  those  of  the  Foreign  Corrupt  Practices  Act,  such 
requirements  highlight  the  importance  of  the  auditor's  evaluation 
of  internal  controls  including  those  of  computer-based  systems. 

PUBLIC  ACCOUNTING  FIRMS  EMPHASIZE  EVALUATION 
OF  COMPUTER-RELATED  CONTROLS 

Our  look  at  three  public  accounting  firms  found  them  also 
devoting  efforts  to  computer  auditing.  Their  approaches  differ 
somewhat,  but  each  firm  is  committed  to  computer  auditing  for 
evaluating  clients'  internal  control  systems  and  improving  audit 
efficiency. 

All  three  firms  have  computer  audit  staffs  primarily  to  assist 
the  accountant  in  financial  statement  audits.  This  assistance  in¬ 
cludes  compliance  testing  of  computer-related  controls  and  more 
detailed  substantive  tests.  In  a  unique  approach,  the  Computer 
Audit  Assistance  Group  of  Coopers  &  Lybrand  is  a  separate  element 
of  the  firm  and  markets  its  services  to  the  firm's  general  practice 
staff.  The  other  two  firms  draw  on  computer-trained  accountants 
or  management  consultants  as  the  general  practice  staffs  identify 
the  need. 

These  three  firms  also  develop  computer  programs  (software) 
to  automate  their  audit  or  computer  audit  activities.  Such  audit 
software  can  aid  in  testing  clients'  control  systems  and  reduce 
the  time  needed  to  perform  audit  work.  The  director  of  Coopers  & 
Lybrand' s  Computer  Audit  Assistance  Group  said  that  at  the  time  of 
our  visit,  the  group  had  developed  some  60,000  computer  programs 
for  auditing  and  other  services,  such  as  tax  planning  and  analysis 
and  business  planning. 

The  approaches  of  these  major  auditing  firms  demonstrate  that 
evaluating  computer-related  controls  is  an  integral  part  of  audits 
performed  in  the  public  accounting  sector.  This  indicates  the  need 
for  similar  commitments  to  auditing  these  controls  in  the  Federal 
Government . 

FEDERAL  AUDIT  POLICY  DOES  NOT  EMPHASIZE 
COMPUTER-RELATED  CONTROLS 

Even  with  the  growing  concern  for  proper  computer-related 
controls  discussed  in  this  chapter,  we  found  little  emphasis  on 
these  controls  in  formal  or  informal  policy  guidance  for  Federal 
internal  audit  operations.  We  feel  that  this  lack  of  specific 
policy  guidance  contributed  to  the  inadequate  computer  audit 


19 


I 


I 


coverage  we  observed  in  general.  More  specific  policy  guidance 
for  executive  departments  and  agencies  could  help  ensure  that  in¬ 
ternal  audit  organizations  appropriately  consider  computer-related 
controls  in  planning  and  providing  audit  coverage. 

While  we  have  established  standards  and  provided  guidance  for 
the  audit  community,  little  formal  direction  exists  requiring  Fed¬ 
eral  audit  organizations  to  perform  computer  audits.  For  example, 
OMB  Circular  No.  A-73  (Revised)  sets  forth  policies  for  audit  of 
Federal  operations  and  programs.  Although  this  document  prescribes 
the  Comptroller  General's  government  audit  standards  as  the  basic 
criteria  for  audit  coverage  and  operations,  it  does  not  specifi¬ 
cally  address  auditing  computer-related  controls.  In  addition. 
Transmittal  Memorandum  No.  1  to  OMB  Circular  No.  A-71  requires  the 
audit  and  evaluation  of  sensitive  computer  systems  but  does  not 
specifically  assign  this  responsibility  to  the  internal  audit  func¬ 
tion.  As  a  result,  not  all  audit  organizations  we  reviewed  con¬ 
sidered  the  requirements  of  this  transmittal  memorandum  in  schedul¬ 
ing  computer  audits,  and  in  some  agencies  audit  and  evaluation  of 
sensitive  computer  systems  were  performed  by  the  data  processing 
function.  In  our  opinion,  this  lack  of  specific  OMB  guidance  may 
contribute  to  unclear  audit  responsibilities  and  more  dependence 
on  management  attitudes  for  computer  audit  involvement. 

As  discussed  in  chapter  2,  management  support  can  directly 
affect  the  extent  of  an  organization's  computer  audit  activities. 
For  example,  the  establishment  of  separate  computer  audit  groups 
within  the  Inspector  General  offices  at  the  General  Services  Ad¬ 
ministration  and  the  Department  of  the  Interior  can  be  directly 
attributed  to  support  for  computer  auditing  by  senior  managers  of 
these  offices.  On  the  other  hand,  lack  of  such  support  in  two 
other  organizations  resulted  in  delays  in  replacing  lost  computer 
audit  staff  and  cancellation  of  planned  audits. 

Audit  organizations  have  also  received  little  in  the  way  of 
informal  direction.  In  our  1977  report  we  recommended  that  OMB 
monitor  the  progress  of  Federal  internal  audit  groups  in  computer 
auditing.  Our  review  at  the  19  audit  organizations  and  contact 
with  OMB  officials  confirmed  that  this  generally  has  not  been  done. 
Such  monitoring  could  provide  some  direction  to  audit  groups  on 
establishing  and  maintaining  computer  audit  capabilities  and  per¬ 
haps  indicate  a  need  for  more  specific  guidance  on  evaluating 
computer-related  controls. 


CHAPTER  4 


CONCLUSIONS  AND  RECOMMENDATIONS 


CONCLUSIONS 

With  the  expanding  computer  usage  and  the  billions  being  spent 
annually  on  data  processing.  Federal  inspector  general  and  inter¬ 
nal  audit  organizations  must  properly  consider  Government  computer 
operations  in  fulfilling  their  internal  audit  responsibilities. 
These  organizations  must  plan  adequate  computer  audit  coverage  and 
provide  the  staff  to  do  this  work. 

The  computer  has  added  a  new  dimension  to  the  role  of  govern¬ 
ment  auditors.  Agencies'  internal  control  systems  include  controls 
for  preparing  input  to  the  computer  and  for  using  its  output,  and 
controls  contained  in  computer  hardware  and  programs.  The  auditor 
must  consider  these  controls  in  providing  assurance  to  management 
that  information  provided  is  accurate  and  reliable  and  that  finan¬ 
cial  assets  and  information  are  protected  against  loss.  Auditors 
must  also  review  for  efficient,  effective,  and  economical  use  of 
resources  which  include  computer  equipment,  programs,  and  other 
spending  for  computer  operations. 

We  have  discussed  computer  audit  responsibilities  for  Federal 
internal  auditors  in  several  Government-wide  reports  and  in  govern¬ 
ment  audit  standards.  Our  1977  report  recommended  that  each  Fed¬ 
eral  internal  group  respond  to  the  challenge  of  computer  auditing 
essentially  by  determining  the  agency's  computer  audit  needs  and 
developing  the  audit  staff  to  meet  these  needs.  Moreover,  the 
Comptroller  General's  standards  for  auditing  computer-based  sys¬ 
tems  describe  auditors'  responsibilities  to  review  for  adequate 
controls  in  computer  systems  and  applications.  These  standards 
also  prescribe  a  goal  of  auditor  participation  in  reviewing  systems 
and  applications  during  design  and  development. 

Our  review  showed  that  many  Federal  internal  audit  organiza¬ 
tions  have  not  provided  adequate  audit  coverage  for  their  agencies' 
computer  operations  as  prescribed  by  our  1977  report  and  the  GAO 
computer  audit  standards.  While  most  of  the  19  audit  organizations 
reviewed  had  conducted  at  least  some  computer  audits  since  our  1977 
report,  many  had  not  completely  identified  their  agencies'  computer 
activities  to  aid  in  planning  appropriate  audit  coverage.  For  some 
organizations,  computer  systems  and  applications  in  design  and 
development  were  important  omissions  in  identifying  potential  audit 
needs.  As  a  result,  these  organizations  cannot  affirm  that  they 
provide  adequate  computer  audit  coverage  or  that  they  use  computer 
audit  staff  effectively  and  efficiently. 

In  addition,  many  audit  organizations  have  not  developed  or 
maintained  appropriately  skilled  audit  staff  to  meet  computer 
audit  needs.  Because  of  the  lack  of  computer  audit  capabilities, 
many  organizations  were  not  in  compliance  with  the  GAO  computer 


audit  standards.  In  some  cases  we  found  examples  of  effective 
computer  audit  work  and  concerted  efforts  to  implement  the  stand¬ 
ards,  but  without  more  computer  audit  staff  and  audit  time,  many 
organizations  will  not  meet  their  audit  responsibilities  as  pre¬ 
scribed  by  the  standards.  This  is  particularly  true  for  six  or¬ 
ganizations  which  had  little  or  no  computer  audit  capabilities  at 
the  time  of  our  review. 

In  developing  computer  audit  staff,  many  organizations  were 
hindered  by  such  things  as  lack  of  management  support,  personnel 
ceilings,  and  hiring  restrictions.  But  we  also  found  that  many 
organizations  appear  to  have  relied  on  hiring  qualified  staff  and 
neglected  development  of  computer  audit  capabilities  by  training 
existing  staff.  An  ongoing  program  to  train  existing  staff  can 
supplement  hiring  and  provide  a  continuing  source  of  computer  audit 
staff  to  help  offset  the  effect  of  hiring  restrictions.  This  train¬ 
ing  should  provide  all  auditors  with  a  basic  level  of  computer 
knowledge  needed  for  today's  computer  environment,  as  well  as  de¬ 
velop  and  maintain  the  skills  of  computer  audit  staff. 

Other  than  GAO  standards.  Federal  internal  audit  organizations 
overall  have  received  little  direction  specifically  addressing  re¬ 
quirements  for  auditing  computer-related  controls.  We  believe  that 
this  lack  of  specific  direction  makes  computer  audit  involvement 
more  dependent  on  attitudes  an.'  ’ommitments  of  individual  managers, 
and  may  have  contributed  to  the  inadequate  computer  auditing  we 
observed  in  our  review. 

RECOMMENDATIONS 

We  recommend  that  the  heads  of  Federal  agencies  help  ensure 
that  their  inspector  general  and  internal  audit  organizations  prop¬ 
erly  consider  agency  computer  operations  in  providing  internal  au¬ 
dit  coverage  by  requiring  them  to: 

— Identify  the  agency's  computer  audit  universe,  including 
existing  computer  systems  and  major  applications  as  well  as 
those  being  planned  for  design  and  development. 

— Determine  the  extent  to  which  computer  activities  need  au¬ 
diting  and  conduct  needed  audits  based  on  requirements  of 
the  GAO  computer  audit  standards  relating  to  the  adequacy 
of  general  and  application  controls.  Computers  should  also 
be  considered  in  fulfilling  audit  responsibilities  to  review 
for  efficient,  effective,  and  economical  operations. 

— Determine  the  staff  and  skills  needed  to  meet  computer  audit 
responsibilities,  and  consider  alternatives  for  developing 
and  sustaining  these  capabilities. 

— Periodically  review  audit  coverage  of  computer  systems  and 
adjust  allocations  of  staff  resources  accordingly. 


22 


I 


t 


— Establish  a  basic  level  of  computer  knowledge  which  all 
audit  staff  must  attain.  Auditors  may  reach  this  basic 
level  through  their  own  educational  programs  or  by  train¬ 
ing  during  their  employment. 

In  addition,  we  recommend  that  the  Office  of  Management  and 
Budget  play  a  more  active  role  in  monitoring  agencies'  progress 
in  developing  and  maintaining  their  computer  audit  capabilities, 
and  provide  guidance  as  appropriate,  addressing  internal  audit 
evaluation  of  computer-related  controls. 

AGENCY  COMMENTS 

Eighteen  agencies  and  the  Office  of  Management  and  Budget 
commented  on  our  report  and  generally  agreed  with  the  recommenda¬ 
tions.  Fifteen  of  these  agencies  responded  in  writing  and  their 
comments  are  included  in  appendix  VI.  Most  supported  the  need  for 
increased  emphasis  of  computer  auditing  in  the  Federal  Government 
and  some  provided  information  on  current  and  planned  actions  to 
increase  their  computer  audit  capabilities.  For  example,  the  Of¬ 
fice  of  Inspector  General  for  the  Department  of  Transportation  did 
a  staff  study  (see  p.  59  for  management  synopsis)  to  determine  its 
staffing  requirements  for  auditing  ADP  systems.  Based  on  the 
study,  the  Department  has  begun  to  recruit  ADP  auditors.  Others 
indicated  that  staffing  restrictions  and  other  audit  responsibili¬ 
ties  will  continue  to  restrict  their  computer  audit  efforts.  Both 
the  Department  of  Health  and  Human  Services  and  the  National  Aero¬ 
nautics  and  Space  Administration  feel  that  because  of  such  factors, 
development  of  greater  computer  audit  capabilities  must  be  viewed 
as  a  long  term  goal. 

The  Department  of  Commerce  felt  that  it  was  difficult  to  es¬ 
tablish  a  basic  level  of  computer  knowledge  which  all  staff  must 
attain.  As  discussed  on  pages  16  and  17,  this  level  of  training 
is  prescribed  in  the  "Governmental  Auditor  Training  Profile"  en¬ 
dorsed  by  the  Federal  Audit  Executives  Council.  One  suggested 
source  of  such  training  is  the  Interagency  Auditor  Training  Pro¬ 
grams.  In  addition,  some  agencies  have  developed  their  own  basic 
level  ADP  courses.  For  example,  the  Department  of  Housing  and 
Urban  Development  indicated  that  it  will  begin  in  September  1981, 
to  provide  auditors  with  a  basic  level  of  ADP  knowledge.  It  will 
give  courses  on  the  Department's  audit  guides  which  incorporate 
the  GAO  computer  audit  standards.  The  Department  of  Commerce  also 
commented  that  it  was  not  practical  to  maintain,  for  audit  purposes, 
an  inventory  of  agency  computer  systems  at  the  applications  level. 
While  it  may  not  be  necessary  to  have  a  complete  inventory  of  every 
application,  an  inventory  should  exist  showing  at  least  all  major 
applications  and  those  critical  to  the  agency's  mission.  Commerce 
also  felt  that  no  further  OMB  guidance  was  necessary.  We  believe 
the  varied  conditions  observed  throughout  the  Federal  establishment 
argue  for  additional  OMB  involvement. 


23 


/ 


/ 


The  Office  of  Management  and  Budget  commented  that  this  report, 
together  with  the  June  1981  GAO  audit  guide,  "Evaluating  Internal 
Controls  in  Computer-Based  Systems,"  will  be  helpful  in  improving 
Federal  audit  capabilities.  OMB  also  noted  that  the  President's 
Council  on  Integrity  and  Efficiency  has  established  a  training  com¬ 
mittee  to  identify  auditor  training  needs  including  those  for  com¬ 
puter  auditing.  In  addition,  the  President's  Council  has  selected 
the  area  of  computer  security  for  a  proposed  project  to  address 
computer  system  protection,  data  accuracy  and  reliability,  effi¬ 
ciency  of  operations,  and  user  satisfaction.  To  help  target  cor¬ 
rective  action  and  monitor  agency  progress  in  developing  computer 
audit  capabilities,  OMB  indicated  that  it  would  request  us  to  ar¬ 
range  a  briefing  on  this  report  for  the  President's  Council. 

OMB  also  commented  that  it  had  reviewed  agency  plans  for 
audits  of  "sensitive"  computer  applications,  and  was  monitoring 
the  area  and  providing  guidance.  However,  we  believe  the  condi¬ 
tions  we  observed  indicate  a  need  for  OMB  to  play  a  more  active 
role  in  computer  auditing. 


24 


/ 


t 


APPENDIX  I 


APPENDIX  I 


INSPECTOR  GENERAL  AND  INTERNAL  AUDIT 
ORGANIZATIONS  CONTACTED  DURING  REVIEW 

Department  of  Agriculture — Office  of  Inspector  General 

Department  of  Defense — Army  Audit  Agency,  Naval  Audit  Service,  Air 
Force  Audit  Agency 

Department  of  the  Interior — Office  of  Inspector  General 

Department  of  Health  and  Human  Services — Office  of  Inspector  General 

Department  of  Education — Office  of  Inspector  General 

Department  of  Housing  and  Urban  Development — Office  of  Inspector 
General 

Department  of  Labor — Office  of  Inspector  General 

Department  of  Transportation — Office  of  Inspector  General 

General  Services  Administration — Office  of  Inspector  General 

National  Aeronautics  and  Space  Administration — Office  of  Inspector 
General 

Veterans  Administration — Office  of  Inspector  General 

Department  of  the  Treasury--Of f ice  of  Inspector  General,  Comptroller 
of  the  Currency  (Inspections  and  Audit  Division) 

Department  of  Energy — Office  of  Inspector  General 

Department  of  Commerce — Office  of  Inspector  General 

Federal  Home  Loan  Bank  Board — Internal  Evaluation  and  Compliance 
Office 

U.S.  Postal  Service — Postal  Inspection  Service 


25 


/ 


I 


APPENDIX  II 


APPENDIX  II 


NUMBER  OF  COMPUTER  SYSTEMS  AND  RELATED  CENTRAL 


PROCESSING  UNITS  FOR  AGENCIES  CONTACTED  DURING  THIS  REVIEW 


AT  SEPTEMBER 

30,  1980 

Computer  system 

Central  proc 

Aqency 

{note  a) 

units 

Department  of  Agriculture 

124 

146 

Department  of  Defense: 

Army 

1,379 

1,647 

Air  Force 

1,812 

2,418 

Navy 

1,660 

2,054 

Department  of  Interior 

240 

263 

Department  of  Education 

2 

2 

Department  of  Health  and  Human 

285 

451 

Services 

Department  of  Housing  and  Urban 

Development 

3 

3 

Department  of  Labor 

33 

38 

Department  of  Transportation 

263 

372 

General  Services  Administration 

41 

43 

National  Aeronautics  and  Space 

Administration 

482 

1,903 

Veterans  Administration 

411 

420 

Department  of  the  Treasury 

177 

218 

Department  of  Energy 

2,915 

3,716 

Department  of  Commerce 

411 

443 

Federal  Home  Loan  Bank  Board 

2 

2 

Totals  for  agencies 

contacted 

10,240 

14,139 

Total  inventory  for 

U.S.  Government  (note  b) 

11,055 

15,142 

Percentage  of  total 

U.S.  Government  inventory 
represented  by  agencies 

contacted 

93 

93 

a/For  purposes  of  this  inventory,  a  central  processing  unit  is 
synonymous  with  a  computer,  while  a  computer  system  may  include 
one  or  more  central  processing  units. 

b/Does  not  include  computer  resources  of  the  U.S.  Postal  Service. 

GAO  note:  Agencies  may  have  computer  audit  responsibilities  which 
are  not  indicated  by  the  schedule  amounts.  Some  agen¬ 
cies,  for  example,  may  have  audit  responsibility  for 
contractors'  computer  systems  or,  as  in  the  Department 
of  Defense,  for  computer  systems  which  are  embedded  in 
a  weapons  system  or  used  for  certain  classified  purposes, 
neither  of  which  category  is  included  in  the  inventory 
numbers . 

SOURCE:  General  Services  Administration's  fiscal  1980  "Automatic 
Data  Processing  Equipment  Inventory." 


26 


/ 


/ 


APPENDIX  III 


APPENDIX  III 


ADDITIONAL  INSPECTOR  GENERAL 

AND  INTERNAL  AUDIT  ORGANIZATIONS 

PROVIDING  INFORMATION  FOR  THIS  REVIEW 

Agency  for  International  Development — Auditor  General 

Civil  Aeronautics  Board — Bureau  of  Carrier  Accounts  and  Audits 

Department  of  Defense--Defense  Audit  Service,  Defense  Contract 
Audit  Agency,  U.S.  Marine  Corps  Field  Audit  Service 

Department  of  Health  and  Human  Services,  Office  of  Child  Support 
Enforcement — Audit  Division 

Department  of  Justice--Internal  Audit  Staff 

Equal  Employment  Opportunity  Commission--Of f ice  of  Audits 

Federal  Communications  Commission — Internal  Review  and  Security 
Division 

Federal  Emergency  Management  Agency — Office  of  Inspector  General 

Government  Printing  Office — Office  of  Audits 

National  Endowment  for  the  Humanities — Audit  Office 

Nuclear  Regulatory  Commission — Office  of  Inspector  and  Auditor 

Pension  Benefit  Guaranty  Corporation — Internal  Audit 

Small  Business  Administration — Office  of  Inspector  General 

Tennessee  Valley  Authority — Auditing  Branch 

CJ.S.  International  Communication  Agency — Office  of  Audits 


APPENDIX  IV 


APPENDIX  IV 


RESPONSES  OF  AUDIT  ORGANIZATIONS 

TO  SELECTED  ITEMS  OF  REVIEW  QUESTIONNAIRE  1/ 

1.  Percentage  of  organizations’  total  internal  audit  time  spent 
performing  computer  audit  work  for  the  periods  October  1,  1977 
to  June  30,  1980  and  prior  to  October  1977: 

Number  of  organizations _ 

Prior  to 

Oct.  1,  1977  to  Oct.  1977 


Percent  spent 

June  30,  1980 

( note 

Less 

than 

10 

15 

16 

11 

to 

20 

3 

1 

21 

to 

30 

- 

- 

31 

to 

40 

- 

41 

to 

50 

- 

- 

over 

50 

- 

- 

a/One  agency  had  no  information  on  work  prior 
to  Oct.  1977. 


2.  Approximate  number  of  professional  audit  staff  and  number  of 
these  considered  computer  audit  specialists  or  generalists  as 
of  June  30,  1980: 


Computer  Audit  Specialists 
or  Generalists  (note  a) 


Department/aqency 

Professional 
audit  staff 

Number 

Percent  of 
professional  staff 

Agriculture 

350 

30 

8.6 

Army  Audit  Agency 

649 

12 

1.8 

Naval  Audit  Service 

419 

22 

5.3 

Air  Force  Audit  Agency 

777 

116 

\4.9 

Energy 

40 

1 

2.5 

Interior 

126 

10 

7.9 

Health  and  Human  Services 

680 

50 

7.4 

Housing  and  Urban  Development 

300 

5 

1.7 

Labor 

166 

2 

1.2 

Transportation 

339 

2 

0.6 

General  Services  Mministration  236 

13 

5.5 

National  Aeronautics 

and  Space  Administration 

52 

5 

9.6 

1/These  responses  do  not  include  information  from  the  Department 
of  Energy  and  the  Department  of  Education  which  were  just  organiz 
ing  initial  computer  audit  capabilities  as  of  June  30,  1980.  How 
ever,  they  do  include  those  of  the  Defense  Audit  Service  which 
completed  a  questionnaire  for  our  review. 

28 


/ 


/ 


Veterans  Administration 
Treasury  (note  b) 

Comptroller  of  the  Currency 
Commerce 

Federal  Home  Loan  Bank  Board 
Postal  Inspection  Service 
Defense  Audit  Service 


240 

39 

16.3 

10 

0 

- 

6 

0 

- 

85 

4 

4.7 

9 

0 

- 

475 

36 

7.6 

649 

12 

1.8 

a/We  requested  that  agencies  identify  the  members  of  their  audit  staff  who 
cure  generally  qualified  for  and  dedicated  to  computer  audit  work.  Based 
on  our  discussions  with  the  personnel  of  these  agencies  on  their  replies 
to  this  question,  perceptions  of  what  constitutes  a  computer-qualified 
auditor  varied  considerably,  and  these  statistics  do  not  include  all 
staff  with  some  level  of  computer  audit  knowledge  or  skills.  The  numbers 
should  not  be  interpreted  as  implying  either  adequate  or  inadequate  compu¬ 
ter  audit  staff  for  agencies'  audit  responsibilities;  that  point  was  cov¬ 
ered  elsewhere  in  our  questionnaire  (See  p.  4). 

b/Tbese  figures  represent  only  our  review  of  the  immediate  Office  of  the 
Inspector  General.  Considering  the  Treasury  Department's  decentralized 
audit  system  for  its  bureaus  and  the  Comptroller  of  the  Currency  (shown 
above),  audit  staff  totaled  633  Department-wide  with  33  (5.2  percent) 
computer  audit  specialists. 

3.  Is  there  a  specific  base  level  of  computer  classroom/seminar 
training  that  is  routinely  provided  to  all  members  of  your 
organization's  audit  staff? 

7  Yes 

11  No 

4.  Adequacy  of  the  number  of  computer  audit  specialists  in  the 
organization : 

0  More  than  adequate 

2  Adequate 

15  Less  than  adequate 

5.  Does  your  organization  have  a  separate  identifiable  computer 
audit  group? 

9  Yes 

9  No 


I 


29 


APPENDIX  IV 


APPENDIX  IV 


6.  Has  your  organization  ever  taken  an  inventory  of  computer 
systems? 

12  Yes 

6  No 

7.  Are  computer  audit  areas  set  forth  explicitly  in  planning 
documents,  or  are  they  implicitly  included  under  other  areas 
such  as  procurement,  payroll,  supply,  and  so  forth? 

11  Computer  audit  areas  are  set  forth  explicitly  in 
the  planning  documents. 

3  Computer  audit  areas  are  implicitly  included  in  planning 
documents . 

ADP  audit  areas  are  both  explicitly  and  implicitly  in¬ 
cluded  in  planning  documents. 

8.  Does  your  organization  use  any  standardized  audit  programs, 
checklists,  or  questionnaires  in  performing  computer  audit  work? 
By  standardized,  we  mean  a  uniform  program,  checklist  or  ques¬ 
tionnaire  that  is  used  in  audits  of  all  (or  many)  computer  sys¬ 
tems  . 

6  Yes 

12  No 

9.  Is  the  amount  of  staff  time  that  you  expect  your  organization 
to  devote  to  computer  audit  work  more  than,  about  equal  to, 

or  less  than  the  amount  that  needs  to  be  spend  on  computer  au¬ 
diting? 

0  Expected  audit  time  is  more  than  needed. 

3  Expected  audit  time  is  about  what  is  needed. 

15  Expected  audit  time  is  less  than  needed. 

10.  If  indicated  above  that  expected  computer  audit  time  is  less 

than  needed,  what  is  the  principal  reason  why  your  organization 
does  not  do  more  computer  audit  work? 

7  Personnel  ceilings  preclude  hiring  sufficient 
additional  staff. 

2  Regardless  of  personnel  ceilings,  sufficient 
numbers  of  computer  trained  staff  could  not  be 
hired  in  the  foreseeable  future. 

4  Other  audit  work  priorities  are  too  great  to  permit 
sufficient  additional  computer  audit  work. 


30 


/ 


t 


APPENDIX  IV 


APPENDIX  IV 


1_  Available  training  funds  are  insufficient  to  permit 
staff  computer  skill  upgrading  within  a  reasonable 
per iod . 

0  Audit  workload  is  too  great  to  permit  sufficient 
staff  time  for  upgrading  computer  skill  within 
a  reasonable  period. 

2  Other. 

NOTE:  Totals  16  rather  than  15  (as  indicated  by  question 

9)  because  two  categories  were  reported  by  one 
agency . 

11.  Will  computer  auditing  within  your  organization  over  the  next 
5  years  increase,  decrease,  or  remain  about  the  same? 

10  Significantly  increase. 

8  Moderately  increase. 

0  Remain  about  the  same. 

0  Moderately  decrease. 

0  Significantly  decrease. 


31 


APPENDIX  V 


APPENDIX  V 


SUMMARY  OF  ADDITIONAL  GAO  AUDIT  STANDARDS 

FOR  AUDITING  COMPUTER-BASED  SYSTEMS 

In  March  1979,  the  Comptroller  General  of  the  United  States 
issued  additional  government  audit  standards  for  providing  proper 
audit  coverage  to  computer-based  systems.  Effective  January  1, 
1980,  these  standards  supplement  GAO's  basic  document,  "Standards 
for  Audit  of  Governmental  Organizations,  Programs,  Activities,  and 
Functions."  Issued  initially  as  a  separate  document  entitled 
"Auditing  Computer-Based  Systems,"  the  supplemental  standards  have 
been  incorporated  into  the  1981  revision  of  the  basic  document. 

The  Comptroller  General's  audit  standards  must  be  followed  by 
Federal  auditors  for  audits  of  Federal  organizations,  programs,  ac¬ 
tivities,  functions,  and  funds  received  by  contractors,  nonprofit 
organizations,  and  other  external  organizations.  They  are  recom¬ 
mended  for  audits  of  State  and  local  government  organizations,  pro¬ 
grams,  activities,  and  functions  performed  by  State  or  local  gov¬ 
ernment  auditors  or  by  public  accountants.  Below  we  present  a 
discussion  of  the  computer  audit  responsibilities  prescribed  for 
such  government  auditing. 

STANDARD  FOR  AUDIT  REVIEW  OF  GENERAL 
CONTROLS  IN  COMPUTER-BASED  SYSTEMS 

The  first  standard  is: 

The  auditor  shall  review  general  controls  in  data 
processing  systems  to  determine  that  (A)  controls 
have  been  designed  according  to  management  direction 
and  legal  requirements,  and  (B)  such  controls  are 
operating  effectively  to  provide  reliability  of,  and 
security  over,  the  data  being  processed. 

The  transition  from  mechanical  data  processing  to  automatic 
data  processing  means  traditional  audit  approaches  must  be  revised. 
The  complexity  and  far-reaching  scope  of  such  systems  requires 
that  the  auditor  give  greater  attention  both  to  the  system  that 
processes  the  data  and  to  the  data  itself.  The  theory  is  that  if 
the  system  is  secure  and  controlled,  the  auditor  will  be  able  to 
rely  on  the  data  processed  and  reported. 

The  auditor  should  distinguish  between  general  and  applica¬ 
tion  controls.  General  controls  are  normally  applicable  to  most 
processing  being  carried  out  within  the  installation,  while  appli¬ 
cation  controls  may  vary  and  are  therefore  reviewed  on  an  individ¬ 
ual  application  basis.  (See  standard  2  for  application  controls 
audit  review.)  Auditors  are  to  review  and  evaluate  these  general 
controls  and  consider  their  effectiveness  in  performing  the  review 
of  individual  application  controls. 


32 


/ 


I 


APPENDIX  V 


APPENDIX  V 


Organizational  controls 

Authority  and  responsibility  must  be  delegated  in  such  a  man¬ 
ner  that  the  organizational  objectives  can  be  met  with  efficiency 
and  effectiveness.  The  auditor  should  review  the  organization, 
delegation  of  authority,  responsibilities,  and  separation  of  du¬ 
ties  in  the  organization.  Such  reviews  are  to  determine  whether 
functional  lines  of  authority  are  designed  to  meet  the  organiza¬ 
tion's  objectives  and  whether  the  separation  of  duties  provides 
for  a  relatively  strong  level  of  internal  control.  For  example, 
separation  of  duties  should  provide  for  separation  among  program 
and  systems  development  functions,  computer  operations,  control 
over  input  data,  and  the  control  group  responsible  for  maintaining 
application  controls.  The  total  system  must  be  considered  by  the 
auditor . 

In  reviewing  the  separation  of  duties,  the  auditor  should 
evaluate  the  control  strengths  and  report  on  weaknesses  resulting 
from  inadequate  separation.  Policies  of  periodic  rotation  of 
employees  and  mandatory  vacation  scheduling  may  help  management 
maintain  adequate  separation  of  duties.  The  auditor  should  ascer¬ 
tain  whether  such  policies  are  being  followed. 

Physical  facilities,  personnel, 
and  security  controls 

Adequate  physical  facilities  and  other  resources  (such  as 
adequately  trained  personnel  and  supplies)  are  necessary  for  the 
organization  to  meet  its  data  processing  objectives.  The  auditor 
should  review  these  factors  to  determine  whether  or  not  the  organi¬ 
zation  has  adequate  resources  for  meeting  its  needs. 

Personnel  management — including  supervision,  motivation,  and 
professional  development  of  personnel — is  integral  to  successful 
management  of  the  data  processing  function.  The  auditor  should 
review  and  evaluate  these  management  policies  and  practices  to  as¬ 
certain  whether  the  necessary  policies  exist  and  are  being  followed. 
For  example,  since  the  entire  field  of  computers  is  rapidly  evolv¬ 
ing,  the  organization's  personnel  management  office  needs  to 
develop — in  conjunction  with  the  data  processing  organization — an 
education  and  training  program.  This  program  should  keep  employees 
abreast  of  current  developments  so  that  they  may  perform  their 
duties  most  efficiently  and  economically,  and  use  new  methods  when¬ 
ever  they  are  demonstrably  cost  effective.  Inadequate  personnel 
training  and  development  programs  in  data  processing  can  hinder  ac¬ 
complishment  of  the  organization's  mission. 

Adequacy  of  provisions  for  security  of  computer  hardware,  com¬ 
puter  programs,  data  files,  data  transmission,  input  and  output 
material,  and  personnel  should  also  be  reviewed  by  the  auditor. 

This  review  should  include  not  only  the  central  processing  facility 
but  also  extend  to  computer  terminals,  communications  operations, 
and  other  peripheral  equipment. 


33 


/ 


I 


APPENDIX  V 


APPENDIX  V 


In  reviewing  physical  security  of  computer  hardware,  the  au¬ 
ditor  should  consider  the  adequacy  of  contingency  plans  for  con¬ 
tinued  processing  of  critical  applications  in  the  event  of  a  dis¬ 
ruption  of  normal  data  processing  functions.  This  should  include 
provisions  for  emergency  power  and  hardware  backup  as  well  as  de¬ 
tailed  plans  for  making  use  of  the  backup  equipment  and  transport¬ 
ing  personnel,  programs,  forms,  and  data  files  to  the  alternate 
processing  location.  The  auditor  should  also  consider  the  extent 
to  which  this  contingency  plan  has  been  tested  to  determine  the 
probability  of  continuing  data  processsing  support  in  the  event 
of  a  real  emergency. 

In  reviewing  physical  security  of  data  files,  the  auditor 
should  ensure  that  data  and  program  file  libraries  are  maintained 
by  personnel  who  do  not  have  access  to  computers  and  computer  pro¬ 
grams,  file  libraries  are  secure,  computer  operators  and  other  per¬ 
sonnel  do  not  have  unlimited  access  to  the  library,  and  provisions 
have  been  made  for  backup  of  files  (including  offsite  backup). 

When  files  are  normally  maintained  online,  the  auditor  should  con¬ 
sider  whether  they  are  protected  by  adequate  access  authorization 
controls  and  whether  backup  copies  of  files  are  regularly  main¬ 
tained.  The  auditor  should  verify  that  backup  files  are  properly 
identified,  labeled,  and  the  contents  checked  to  ensure  that  the 
backup  medium  is  complete  and  accurate.  Similar  stringent  controls 
should  exist  for  program  backup  files. 

Operating  systems  controls 

Computer  systems  are  frequently  controlled  by  operating  sys¬ 
tems  (usually  referred  to  as  systems  software).  Since  these 
operating  systems  provide  data  handling  and  multiprogramming  capa¬ 
bilities,  file  label  checking,  and  many  other  authorization  con¬ 
trols,  the  operating  system  is  integral  to  the  general  controls 
over  computer  processing.  The  auditor  should  be  aware  of  the  con¬ 
trols  the  operating  system  can  exercise  and  should  ascertain  the 
extent  to  which  those  controls  have  been  implemented,  as  well  as 
how  they  may  be  bypassed  or  overridden.  The  auditor  also  should 
be  aware  of  the  fact  that  personnel  responsible  for  maintaining 
the  operating  system,  and  other  persons  with  the  ability  to  modify 
the  operating  system,  may  intentionally  or  accidentally  cause  spe¬ 
cific  control  features  within  the  operating  system  to  become  inef¬ 
fective  . 

Hardware  controls 


Computer  hardware  frequently  has  the  capability  to  detect 
erroneous  conditions  related  to  hardware  malfunctions  (as  con¬ 
trasted  to  program  malfunctions).  The  auditor  should  be  aware  of 
(1)  how  the  installation  relies  on  these  hardware  controls,  (2) 
how  the  operating  system  utilizes  these  controls,  and  (3)  how  the 
detected  hardware  errors  are  reported  within  the  installation  as 
well  as  the  procedures  for  taking  corrective  action. 


34 


APPENDIX  V 


APPENDIX  V 


STANDARD  FOR  REVIEW  OF  APPLICATION  CONTROLS 
IN  COMPUTER-BASED  SYSTEMS 


The  second  standard  is: 

The  auditor  shall  review  application  controls  of 
installed  data  processing  applications  upon  which 
the  auditor  is  relying  to  assess  their  reliability 
in  processing  data  in  a  timely,  accurate,  and 
complete  manner. 

Before  an  assessment  of  processing  reliability  or  integrity  in  any 
application  can  be  complete,  both  the  specific  application  controls 
and  the  general  controls  must  be  evaluated  in  their  entirety. 

The  audit  work  performed  in  responding  to  standard  2  has  two 
basic  objectives.  Both  are  discussed  below. 

Conformance  with  standards  and  approved  design 

The  first  objective  is  to  determine  whether  the  installed  ap¬ 
plications/systems  conform  to  applicable  standards  and  the  latest 
approved  design  specifications. 

Audit  compliance  with  supplemental  standard  2  provides  assur¬ 
ance  that  the  approved  specifications,  with  all  built-in  internal 
controls  (input,  processing,  output,  etc.,)  have  been  installed 
as  intended,  are  properly  documented,  and  have  been  adequately 
tested . 

When  the  auditor  tests  data  reliability,  such  tests  should 
include  examining  supporting  documentation  for  selected  transac¬ 
tions,  testing  the  clerical  accuracy  of  the  manner  in  which  trans¬ 
actions  have  been  entered  and  summarized,  and  testing  compliance 
with  control  procedures.  in  addition,  auditors  may  wish  to  test 
selected  data  files  to  identify  possible  exception  conditions  and 
the  accuracy  of  data  conversion  or  capture.  If  the  data  records 
are  maintained  in  machine-readable  condition  the  auditor  should, 
where  appropriate,  make  use  of  computer-assisted  audit  techniques 
in  testing  data  records. 

Tests  for  control  weaknesses 

The  second  objective  is  to  test  internal  controls  and  the 
reliability  of  the  data  produced.  In  addition  to  showing  adequacy 
of  controls,  such  tests  may  disclose  possible  weaknesses  in  the 
installed  applications/systems. 

These  periodic  audits  should  probe  the  installed  application 
for  weaknesses,  changed  circumstances  which  affect  risk  exposure, 
etc.,  with  the  intention  of  stimulating  corrective  modifications 
and  improving  the  installed  applications.  Also,  the  auditor  must 
be  mindful,  when  conducting  periodic  tests,  that  there  are  no 


35 


APPENDIX  V 


APPENDIX  V 


guarantees  that  the  application  system  will  continue  to  operate  in 
accordance  with  the  latest  approved  specifications.  Therefore, 
adequacy  of  controls  over  program  changes  and  operating  procedures 
are  most  important. 

Finally,  the  auditor  must  be  alert  to  the  possibility  of  fraud 
or  other  irregularities  in  computer  systems.  Although  looking  for 
fraud  is  usually  not  the  primary  objective  of  audits,  the  detection 
of  fraud  should  be  a  general  audit  objective. 

GOAL  FOR  AUDITOR  PARTICIPATION 
DURING  SYSTEM  DESIGN  AND  DEVELOPMENT 

We  believe,  as  do  other  professional  audit  authorities,  that 
the  normal  audit  function  should  include  active  auditor  participa¬ 
tion  in  reviewing  the  design  and  development  of,  or  significant 
modifications  to,  data  processing  systems  (software  as  well  as 
hardware)  or  applications.  However,  such  auditor  participation 
may  not  be  feasible  during  the  short  run  due  to  the  level  of  com¬ 
puter  knowledge  required  or  to  limited  staff  resources.  We  there¬ 
fore  include  this  requirement  as  an  audit  goal.  In  the  absence 
of  effective  audit  of  the  system  design  and  development  processes, 
the  resultant  system 

— may  not  possess  the  built-in  controls  necessary  to  ensure 
proper  and  efficient  operations; 

— may  not  provide  the  capability  to  track  events  through  the 
system  and  thus  impede — if  not  completely  f r ustrate — aud it 
review  of  the  system  in  operation;  and, 

— (for  financial  systems)  may  not  comply  with  generally  ac¬ 
cepted  accounting  principles  and  may  result  in  qualifica¬ 
tions  of  the  accountant's  opinion  on  the  financial  state¬ 
ments  . 

In  addition,  internal  auditors  may  require  specific  managerial 
authorization  or  direction  to  perform  this  work  and  external  audi¬ 
tors  may  need  a  special  engagement.  Whenever  management  approval 
to  perform  such  work  has  not  already  been  given,  the  auditor  has 
a  duty  to  alert  management  of  the  potential  results  of  such  restric¬ 
tion.  The  auditor  should  formally  communicate  to  management  in¬ 
formation  on  the  possible  adverse  effects  of  not  requiring  audit 
review  and  evaluation  of  automated  systems  design  and  development 
processes . 

Underlying  rationale 

Both  auditors  and  management  officials  have  an  interest  in 
ensuring  that  system  design,  development,  and  overall  operations 
achieve  the  objectives  of  adequate  internal  controls  and  effective 


36 


I 


I 


APPENDIX  V 


APPENDIX  V 


auditability.  1/  For  systems  already  in  existence  when  audits  are 
made,  the  auditor  should  determine  whether  the  objectives  of  the 
systems  are  being  achieved. 

As  capabilities  of  computer-based  information  systems  have 
grown,  the  systems  and  applications  have  grown  more  complex  and 
interrelated.  Initially,  there  were  separate  automated  applica¬ 
tions  for  personnel,  payroll,  and  labor  cost  accounting.  Each 
application  or  system  would  be  processed  independently  of  the 
others  and  input  material  would  be  generated  from  separate  and 
distinct  sources,  then  processed  against  separate  data  files. 

With  the  integration  of  application  systems  now  being  encoun¬ 
tered,  the  payroll,  personnel,  and  labor-cost  accounting  applica¬ 
tions  can  be  interrelated  subsystems  of  a  far  larger  online  system, 
and  the  outputs  of  one  subsystem  can  now  be  the  inputs  for  another 
without  any  human  review.  Thus,  a  control  weakness  in  one  segment 
of  the  system  may  have  completely  unanticipated  effects  in  other 
segments  with  a  cascading  of  effects  causing  catastrophic  results. 
Such  mistakes,  waste,  and  general  confusion  may  even  adversely  af¬ 
fect  the  organization's  viability. 

The  objectives  of  requiring  auditor  participation  in  system 
design,  development,  and  modification  are  set  forth  below,  with 
comments  on  each. 

Management  policies 

Objective  1:  To  provide  reasonable  assurance  that 
systems/applications  carry  out  the 
policies  management  has  prescribed 
for  them. 

Policies  setting  forth  what  is  expected  of  ADP  systems  should 
be  established  by  management,  and  the  auditor  should  determine 
whether  these  policies  are  being  carried  out  in  the  design.  The 
auditor  should  ascertain  that  an  appropriate  approval  process  is 
being  followed,  both  in  the  development  of  new  systems  and  in  the 
modification  of  existing  systems.  The  auditor  should  consider  the 
need  for  approval  of  the  system's  design  by  data  processing  manage¬ 
ment,  user  groups,  and  other  groups  whose  data  and  reports  may  be 
affected.  Also,  the  auditor  should  review  the  provisions  for  secu¬ 
rity  that  are  required  by  management  to  protect  data  for  programs 
against  unauthorized  access  and  modification. 


1/Because  the  engagement  of  public  accountants  has  unique  condi¬ 
tions,  it  is  unlikely  that  public  accountants  will  be  able  to 
comply  fully  with  this  objective.  However,  they  may  partially 
comply  by  determining  the  extent  and  effectiveness  of  the  work 
of  the  company's  internal  auditors  or  outside  accountants  in 
the  design  and  development  phases. 


37 


I 


t 


APPENDIX  V 


APPENDIX  V 


If  management's  requirements  are  not  being  met,  the  auditor 
has  the  responsibility  to  report  shortcomings  to  the  appropriate 
officials  who  can  take  corrective  action.  Efforts  to  bring  new 
systems/applications  to  operation  by  scheduled  dates  frequently 
have  resulted  in  some  management-desired  elements  or  controls  being 
set  aside  by  system  designers  for  later  consideration.  The  audi¬ 
tor,  in  retaining  his  independence  during  the  system  design  and 
development  cycle,  should  report  such  actions  to  top  management 
for  appropriate  resolution. 

Audit  trails 


Objective  2:  To  provide  reasonable  assurance  that 

systems/applications  provide  the  controls 
and  audit  trails  needed  for  management, 
auditor,  and  operational  review. 

In  financial  applications,  it  is  considered  a  basic  tenet  that 
the  capability  must  exist  to  trace  a  transaction  from  its  initia¬ 
tion,  through  all  the  intermediate  processing  steps,  to  the  result¬ 
ing  financial  statements.  Similarly,  information  in  the  financial 
statements  must  be  traceable  to  its  origination.  Such  capability 
is  referred  to  by  a  variety  of  terms--audit  trail,  management  trail, 
transaction  trail,  etc. — and  is  also  highly  essential  in  nonfinan- 
cial  systems/applications.  The  reliability  of  the  output  can  be 
properly  assessed  when  the  transaction  processing  flow  can  be  traced 
and  the  controls  over  it  (both  manual  and  automated)  can  be  evalu¬ 
ated  . 


Audit  review  of  the  system  design  and  development  process  can 
help  assure  management  that  this  tracing  capability  is  in  fact  be¬ 
ing  engineered  into  the  systems/applications. 

Controls 

Objective  3:  To  provide  reasonable  assurance  to  manage¬ 
ment  that  systems/applications  includ 
the  controls  necessary  to  protect  against 
loss  or  serious  error. 

The  system  design  and  development  processes  include  (1)  defi¬ 
nition  of  the  processing  to  be  carried  out  by  a  computer,  (2)  de¬ 
sign  of  the  processing  steps  to  be  followed,  (3)  determination  of 
the  data  input  and  files  that  will  be  required,  and  (4)  specifica¬ 
tion  of  each  individual  program's  input  data  and  output.  Each  of 
these  areas  must  be  properly  controlled  in  consonance  with  good 
management  practices,  and  the  auditor's  review  must  assure  manage¬ 
ment  that  the  system/application,  once  placed  in  operation,  will 
meet  this  objective. 

(It  is  possible  for  properly  designed  systems,  with  excellent 
control  mechanisms  built  in,  to  have  these  controls  bypassed  or 
overridden.  This  area  is  addressed  under  computer  audit  standards 
1  and  2 . ) 


38 


/ 


t 


APPENDIX  V 


APPENDIX  V 


Note  that  almost  every  system  has  manual  aspects  (e.g.,  input 
origination,  output  disposition)  and  these  should  be  covered  for 
adequacy  by  the  auditor  reviewing  systems  controls. 

Efficiency  and  economy 

Objective  4:  To  provide  reasonable  assurance  that 

systems/applications  will  be  efficient 
and  economical  in  operation. 

Determining  whether  an  organization  is  managing  and  utilizing 
its  resources  {such  as  personnel,  property,  and  space)  efficiently 
and  economically  and  reporting  on  the  causes  of  inefficiencies  or 
uneconomical  practices,  including  inadequacies  in  management  in¬ 
formation  systems,  administrative  procedures,  or  organizational 
structures,  is  considered  here  as  a  basic  characteristic  of  gov¬ 
ernment  program  audits.  With  the  development  of  complex  systems/ 
applications,  the  internal  auditor's  review  should  also  demon¬ 
strate  that  operations  will  produce  desired  results  at  minimum 
cost.  For  example,  early  in  the  system's  development  stage,  the 
auditor  should  review  the  adequacy  of  the  (1)  statement  of  mission 
needs  and  system  objectives,  (2)  feasibility  study  and  evaluation 
of  alternative  designs  to  meet  those  needs  and  objectives,  and  (3) 
cost-benefit  analysis  which  attributes  specific  benefits  and  costs 
to  system  alternatives. 

Legal  requirements 

Objective  5:  To  provide  reasonable  assurance  that 
systems/applications  conform  with 
applicable  legal  requirements. 

Legal  requirements  applicable  to  systems/applications  may 
originate  from  a  variety  of  sources.  One  such  requirement  is  com¬ 
pliance  with  privacy  statutes  enacted  at  State  and  Federal  levels, 
in  which  certain  types  of  information  about  individuals  are  re¬ 
stricted  as  to  collection  and  use.  Appropriate  safeguards  are  ob¬ 
viously  necessary  in  such  systems.  Conversely,  those  organizations 
subject  to  the  Freedom  of  Information  Act  should  have  systems/ap¬ 
plications  designed  so  that  appropriate  and  timely  response  can  be 
made  to  legitimate  requests  under  the  statute.  The  applicability 
of  the  Federal  Information  Processing  Standards  program  to  the  sys¬ 
tem  involved  should  also  be  checked  by  the  auditor.  If  such  stand¬ 
ards  apply,  they  should  be  included  in  the  auditor's  review. 

Once  again,  auditor  review  of  the  design  and  development  pro¬ 
cesses  can  help  assure  management  that  these  requirements  have  been 
considered  and  satisfied. 


39 


APPENDIX  V 


APPENDIX  V 


Documentation 

Objective  6:  To  provide  reasonable  assurance  that 
systems/applications  are  documented 
in  a  manner  that  will  provide  the 
understanding  of  the  system  required 
for  appropriate  maintenance  and 
auditing . 

The  auditor  should  determine  whether  the  design/modification 
process  produces  documentation  sufficient  to  define  (1)  the  pro¬ 
cessing  that  must  be  performed  by  programs  in  the  system,  (2)  the 
data  files  to  be  processed,  (3)  the  reports  to  be  prepared  for 
users,  (4)  the  operating  instructions  for  use  by  computer  opera¬ 
tors,  and  (5)  the  user  group  instructions  for  preparation  and  con¬ 
trol  of  data.  The  auditor  should  also  ascertain  whether  management 
policy  provides  for  evaluation  of  documentation  and  adequate  test¬ 
ing  of  the  system  before  it  is  made  operational.  These  steps  are 
to  ensure  that  reliance  can  be  placed  on  the  system  and  its  con¬ 
trols. 

The  methods  of  achieving  these  objectives  will  be  determined 
by  the  circumstances  attending  the  specific  situation.  Generally, 
such  audit  work  will  cover  reviewing  adequacy  of  management  poli¬ 
cies;  examining  approvals,  documentation,  test  results,  cost  stu¬ 
dies,  and  other  data  to  determine  whether  management  policies  and 
legal  requirements  are  being  followed;  and  determining  whether  the 
system  possesses  the  necessary  control  features  and  audit  trails. 

The  auditor  should  not  become  part  of  the  system  design/de¬ 
velopment  team  to  perform  work  under  this  objective.  Auditor  in¬ 
volvement  should  be  limited  to  reviewing  what  is  being  done  by  the 
team  and  reporting  to  management  an  objective  evaluation  of  the 
effort . 

At  the  completion  of  the  design  and  development  phases  and 
during  final  system  testing  phases,  the  auditor  should  verify  that 
the  implemented  system  conforms  with  these  six  objectives. 

On  all  audits  of  programs,  activities,  and  functions  supported 
by  existing  computer-based  systems,  the  auditor  shall  follow  the 
general  and  application  standards  for  computer-related  auditing. 

If,  during  an  audit,  the  auditor  finds  indications  that  the  system 
goals — as  set  forth  in  this  objective — are  not  being  met  or  have 
changed,  this  should  be  reported  to  appropriate  officials. 


APPENDIX  VI  APPENDIX  VI 

EXECUTIVE  OFFICE  OF  THE  PRESIDENT 
OFFICE  OF  MANAGEMENT  AND  BUDGET 

WASHINGTON,  D.C.  20S03 

AUG  1  1  1981 


Mr.  W.  D.  Campbell 
General  Accounting  Office 
Room  6001,  441  G  Street,  N.W. 

Washington,  D.  C  20548 

Dear  Mr.  Campbell: 

This  is  in  response  to  your  request  for  comments  on  the  draft 
report,  "Continuing  Need  by  Federal  Agencies  to  Develop 
Greater  Computer  Audit  Capabilities." 

Overall,  we  believe  this  report,  together  with  your  new  audit 
guide  "Evaluating  Internal  Controls  in  Computer-Based  Systems," 
will  be  helpful  in  improving  Federal  audit  capabilities.  The 
issue  is  an  important  one,  and  it  is  proper  that  attention  be 
directed  toward  it. 

We  would  like  to  offer  the  following  observations: 

—  The  report  cites  "little  overall  direction"  and  recom¬ 
mends  that  OMB  monitor  computer  audit  capabilities  and 
provide  guidance.  This  appears  to  overlook  OMB  actions 
since  GAO's  1977  report  on  the  same  subject.  In  1978  (MB 
issued  Circular  No.  A-7 1 ,  Transmittal  Memorandum  No.  1, 
which  calls  for  audits  of  "sensitive"  computer  applica¬ 
tions  triennially.  Under  this  Circular,  OMB  has  reviewed 
agency  plans  and  has  required  changes  in  those  that  do 
not  meet  the  requirements  of  the  Circular.  OMB  is 
continuing  to  monitor  and  provide  guidance. 

The  President's  Council  on  Integrity  and  Efficiency  is 
currently  involved  in  two  activities  which  directly 
relate  to  the  needs  addressed  by  this  report.  A  Training 
Committee  has  been  established  to  identify  auditor 
training  needs  and  to  develop  a  program  to  meet  these 
needs.  One  of  the  areas  which  is  being  addressed  is  that 
of  computer  auditing.  Additionally,  the  President's 
Council  has  identified  the  area  of  computer  security  for 
a  proposed  project  which  will  address  protection  of 
computer  systems  against  significant  threats,  assurance 
that  data  is  accurate  and  reliable,  and  assurance  that 
system  operations  are  efficient  and  satisfy  user 
requirements. 


41 


APPENDIX  VI 


APPENDIX  VI 


The  report  does  not  always  distinguish  properly  between 
management  roles  and  auditor  roles.  For  example,  in 
calling  on  agency  auditors  to  inventory  computer  sys¬ 
tems  and  applications,  the  report  does  not  mention  that 
primary  responsibility  for  such  an  inventory  is  with 
management.  Recently,  management's  responsibility  in 
this  area  was  clearly  reaffirmed  in  the  "Paperwork 
Reduction  Act  of  1980." 

We  plan  to  contact  your  staff  in  the  future  to  arrange  for  a 
briefing  to  be  presented  to  the  members  of  the  President's 
Council  at  a  later  date.  This  would  permit  us  to  target  our 
efforts  for  corrective  action  and  do  a  more  effective  job  of 
monitoring  agency  progress  in  developing  and  maintaining 
their  computer  audit  capabilities. 

Thank  you  for  the  opportunity  to  comment. 


Deputy  Director 


APPENDIX  VI 


APPENDIX  VI 


United  States 
Department  of 
Agriculture 


Office  ot 

Inspector 

General 


Washington. 

DC 

20250 


Mr.  W.  D.  Campbell 
Acting  Director 
General  Accounting  Office 

Dear  Mr.  Campbell: 

We  have  reviewed  the  draft  report  entitled  "Continuing  Need  by  Federal 
Agencies  To  Develop  Greater  Computer  Audit  Capabilities,"  and  are  in  gen¬ 
eral  agreement  with  the  recommendations. 

We  offer  the  following  comments  to  the  reported  recommendations : 

—  Identify  the  agency's  computer  audit  universe,  including  existing 
computer  systems  and  applications  as  well  as  those  being  planned 
for  design  and  development . 

We  agree  the  agency's  computer  audit  universe  should  be  identified  and 
reviewed  periodically  in  conjunction  with  the  audit  planning  process. 

We  believe,  however,  that  the  audit  universe  must  stem  from  a  perpetual 
inventory  maintained  by  the  ADP  focal  point  within  the  agency.  Within 
USDA,  the  development,  maintenance  and  coordination  of  these  inventories 
rests  with  the  Office  of  Operations  and  Finance,  Data  Services  Division. 

We  have  worked  closely  with  Data  Services  to  better  insure  the  current 
inventory  system  identifies  all  current  and  proposed  ADP  systems. 

—  Determine  the  extent  to  v<hich  computer  activities  need  auditing 
and  conduct  needed  audits  based  on  requirements  of  the  GAO  computer 
audit  standards  relating  to  the  (1)  adequacy  of  general  and  applica¬ 
tion  controls;  and  (2)  efficient,  effective,  and  economical  use 

of  computers. 

We  strive  to  adhere  to  the  GAO  computer  audit  standards  during  all  audits. 
To  stay  current  on  Departmental  ADP  activities  and  to  improve  audit  ser¬ 
vices,  the  ADP  audit  function,  as  it  relates  to  USDA  administered  opera¬ 
tions,  is  centralized  in  one  regional  office.  Residency  audit  staffs, 
consisting  of  ADP  specialists  and  auditors,  are  located  at  all  but  one 
USDA  conputer  center.  In  addition,  each  OIG  regional  office  maintains 
ADP  specialists  and  auditors  who  evaluate  State  and  local  ADP  systems 
which  handle  USDA  program  activities.  ADP  systems  and  applications  are 
reconmended  for  audit  by  these  auditors  and  ADP  specialists.  Their  recom¬ 
mendations  are  evaluated  and  prioritized  by  management  with  major  considera 
tion  given  to  susceptibility  to  fraud, 'abuse  and  economic  efficiencies. 

—  Determine  the  staff  and  skills  needed  to  meet  computer  audit  responsi 
bilities,  and  consider  alternatives  for  developing  and  sustaining 
these  capabilities. 


43 


/ 


APPENDIX  VI 


APPENDIX  VI 


OIG  is  continually  evaluating  the  staffing  and  experience  needed  to  carry 
out  its  audit  program.  Because  data  processing  continues  to  grow  within 
the  Department,  we  have  tried  to  adjust  our  audit  staff  to  meet  these 
needs.  We  have  increased  the  number  of  ADP  specialists  in  OIG  from  four 
in  1974  to  nineteen  in  1981.  We  have  also  intensified  our  training  efforts 
in  the  ADP  area.  Approximately  65  percent  of  our  auditors  have  now  had 
some  form  of  ADP  training.  In  1982  we  plan  to  spend  $1,616,000  for  ADP 
training  and  to  purchase  minicomputers  which  will  greatly  enhance  our 
capability  to  audit  through  the  computer. 

—  Periodically  review  audit  coverage  of  computer  systems  and  adjust 
allocations  of  staff  resources  accordingly. 

The  OIG  audit  program  is  continually  changing.  Audits  are  added  and  deleted 
based  on  changing  priorities.  At  least  once  every  six  months  audit  managers 
meet  to  discuss  audit  priorities  and  adjust  allocations  of  staff  resources. 

—  Establish  a  basic  level  of  computer  knowledge  which  all  audit  staff 
must  attain.  Auditors  may  reach  this  basic  level  through  their  own 
educational  programs  or  by  training  during  their  employment. 

OIG  has  adopted  the  Federal  Audit  Executive  Council's  Auditor  Training 
Profile  and  the  Interagency  Auditor  Training  Program's  ADP  Policy  and 
Curriculum  Standards  Committee  report  as  the  basis  for  cur  auditor  training 
program.  We  have  supplemented  these  guidelines  with  internal  training 
programs,  such  as: 

1.  Introduction  to  ADP  -  a  training  program  for  new  auditors  which  pre¬ 
sents  the  ADP  auditing  standards  and  their  application  in  OIG. 

2.  Audit  of  ADP  Systems  and  Applications  -  a  training  program  which 
instructs  the  auditor  in  GAO's  ADP  Auditing  Standards  and  the  AICPA's 
SAS  #3. 

We  appreciate  the  opportunity  to  comment  on  this  draft  report. 


Sincerely, 


ROBERT  E.  MAGEE,  A^fing 
Inspe^'or  General 


44 


APPENDIX  VI 


APPENDIX  VI 


DEPARTMENT  OF  HEALTH  A  HUMAN  SERVICES 


Office  oi  Inspectot  General 


Washington,  D.C.  20201 


i  s  JUL  1981 


Mr.  Gregory  J.  Ahart 
Director,  Human  Resources 
Division 

United  States  General 
Accounting  Office 
Washington,  D.C.  20548 

Dear  Mr.  Ahart: 

The  Secretary  asked  that  I  respond  to  your  request  for  our 

comments  on  your  draft  report  entitled,  "Continuing  Need 

By  Federal  Agencies  To  Develop  Greater  Computer  Audit  Capabilities.” 

The  enclosed  comments  represent  the  tentative  position  of 

the  Department  and  are  subject  to  reevaluation  when  the 

final  version  of  this  report  is  received. 

We  appreciate  the  opportunity  to  comment  on  this  draft  report 
before  its  publication. 


Sincerely  yours, 

Richard  P.  Kusserow 
Inspector  General 


Enclosure 


4'5 


APPENDIX  VI 


APPENDIX  VI 


COMMENTS  OF  THE  DEPARTMENT  OF  HEALTH  AND  HUMAN  SERVICES  ON 
THE  GAO  DRAFT  REPORT,  "CONTINUING  NEED  BY  FEDERAL  AGENCIES 
TO  DEVELOP  GREATER  COMPUTER  AUDIT  CAPABILITIES" 


We  agree  with  the  GAO  that  there  is  a  need  for  increased 
emphasis  on  computer  related  audits-  The  OIG  Audit  Agency 
is  committed  to  the  continued  involvement  of  our  auditors  in 
all  areas  of  computer  auditing  and  to  increased  audit  coverage 
of  computer-based  systems. 

As  pointed  out  in  the  GAO  audit  report,  the  Audit  Agency  has 
taken  strong  and  aggressive  action  to  insure  that  computer 
related  audits  are  adequately  covered.  We  have  developed 
specific  guidelines  in  our  audit  policy  handbook  for  each  of 
the  GAO  computer  audit  standards  to  insure  our  auditors  are 
involved  in  all  phases  of  automatic  data  processing  (ADP) . 

We  have  also  established  an  ADP  Audit  Committee.  The 
members,  top  headquarters  and  field  managers,  evaluate  and 
recommend  ways  in  which  the  Audit  Agency  can  meet  the  challenge 
of  effective  computer  auditing. 

Achieving  the  intent  of  the  GAO  recommendations  must  be 
viewed  as  a  long  range  goal.  As  staff  auditors  complete  the 
Audit  Agency's  computer  audit  training  programs,  we  will 
gradually  increase  our  capacity  to  conduct  more  ADP  audits 
of  systems  under  design  and  in  operation. 

GAO  Recommendations 


1.  Identify  the  agency's  computer  audit  universe,  including 
existing  computer  systems  and  applications  as  well  as  those 
being  planned  for  design  and  development. 

We  agree.  As  of  June  1981  an  inventory  has  been  compiled  of 
the  Department's  large  scale  computer  systems  identifying 
their  location,  make/model  and  date  acquired.  A  complete 
computer  listing  of  all  the  ADP  applications  assigned  to 
these  systems  has  also  been  generated.  The  Office  of  the 
Assistant  Secretary  for  Management  and  Budget  maintains 
these  lists  on  a  current  basis.  We  are  also  considering 
having  all  the  Operating  Divisions  (OPDIV’s)  in  this  Department 
routinely  notify  the  Office  of  Inspector  General  of  all 
planned  major  systems  design  and  development  projects  for 
possible  audit  participation. 

2.  Determine  the  extent  to  which  computer  activities  need 
auditing  and  conduct  needed  audits  based  on  requirements  of 
the  GAO  computer  audit  standards  relating  to  the  (1)  adequacy 
of  general  and  application  controls;  and  (2)  efficient, 
effective,  and  economical  use  of  computers. 


APPENDIX  VI 


APPENDIX  VI 


We  agree.  The  Audit  Agency  has  long  performed  limited 
audits  of  selected  aspects  of  computer  systems.  The  Annual 
Work  Plan  for  FY  1981  includes  audits  of  several  SSA  computer 
systems.  For  example,  the  Audit  Agency  recently  completed  a 
comprehensive  audit  into  all  aspects  of  SSA's  computer 
processing  system  for  annual  wage  reporting  on  magnetic 
tape.  The  auditors  participated  in  SSA’s  design  and  development 
for  the  SSI'  "Offset  Provisions  -  Project  Windfall”  and 
recently  completed  a  follow-up  review  of  the  security  controls 
over  SSA’s  telecommunications  system.  The  Audit  Agency  has 
been  actively  involved  in  a  number  of  computer  matches 
involving  SSA  programs  as  well  as  programs  administered  by 
other  Departmental  OPDlV’s,  other  Federal  agencies,  or  State 
and  local  government  organizations.  These  matches  are 
designed  to  identify  people  who  may  be  receiving  benefits 
for  which  they  are  not  entitled.  We  are  committed  to 
continue  and,  to  the  extent  possible,  increase  our  audit 
coverage  of  the  Department's  50  large  scale  computer  systems. 

3.  Determine  the  staff  and  skills  needed  to  meet  computer 
audit  responsibilities,  and  consider  alternatives  for 
developing  and  sustaining  these  capabilities. 

The  Audit  Agency  is  well  aware  of  the  need  for  specialized 
skills  needed  to  meet  computer  audit  requirements.  We  have 
a  staff  of  about  50  audit  specialists  —  computer  systems 
analysts  as  well  as  auditor  trained  specialists  in  the  field 
of  computer  auditing  and  statistical  sampling  —  at  our 
headquarters  and  regional  offices.  In  1973,  the  headquarters 
staff  (Advanced  Audit  Techniques  Staff)  developed  a  computer 
audit  system  called  HEWCAS .  This  system  comprises  procedures, 
training,  and  time  sharing  computer  programs  for  all  auditors 
to  utilize  in  conducting  examinations  of  computer  records. 

It  is  our  policy  to  include  use  of  HEWCAS,  computer  programs, 
test  decks  or  other  advanced  audit  techniques  in  all  internal 
audit  programs  encompassing  specific  computer  applications. 

The  Advanced  Audit  Techniques  Staff  and  our  computer  system 
analysts  are  constantly  involved  in  writing  application 
programs  to  assist  auditors  in  performing  computer  related 
audits . 

4.  Periodically  review  audit  coverage  of  computer  systems 
and  adjust  allocations  of  staff  resources  accordingly. 

We  agree  and  are  constantly  searching  for  new  ways  to  allocate 
our  staff  resources  to  audit  SSA's  expanding  computer  systems. 
When  SSA  initiates  a  new  system,  we  adjust  our  staffing  to 
the  extent  possible,  to  provide  sufficient  comprehensive 
audit  coverage. 

5.  Establish  a  basic  level  of  computer  knowledge  which  all 
audit  staff  must  attain.  Auditors  may  reach  this  basic 
level  through  their  own  education  programs  or  by  training 
during  their  employment. 


47 


I 


APPENDIX  VI 


APPENDIX  VI 


As  pointed  out  in  the  report,  the  Office  of  Inspector  General 
established  a  National  Professional  Development  Center 
(NPDC)  in  June  1978.  The  NP DC  is  charged  with  the  responsibility 
of  developing  a  comprehensive  professional  development 
program  designed  to  expand  the  expertise  of  the  professional 
staff  and  enhance  the  accomplishment  of  the  Audit  Agency's 
mission.  To  this  end,  the  NPDC  has  included  in  its  curriculum 
nine  courses  on  auditing  computer  systems,  plus  other  courses 
on  data  retrieval  techniques.  To  keep  abreast  of  the  latest 
changes  in  the  state  of  the  art,  the  NPDC  is  constantly 
upgrading  the  training  programs  to  better  serve  the  needs  of 
the  Department  and  of  the  auditor.  In  addition  to  providing 
courses  at  the  NPDC,  we  encourage  the  professional  staff  to 
participate  and  become  active  members  of  other  professional 
organizations  and  to  seek  additional  outside  training. 


48 


/ 


t 


APPENDIX  VI 


APPENDIX  VI 


UNITED  STATES  DEPARTMENT  OF  EDUCATION 

WASHINGTON.  D.C.  20202 


OFFICE  OF  INSPECTOR  GENERAL 


AUG  -  7  1981 


Mr.  Gregory  J.  Ahart 
Director 

Human  Resources  Division 
United  States  General 
Accounting  Office 
Washington,  D.C. 

Dear  Mr.  Ahart: 

The  Secretary  has  asked  that  I  respond  to  your  request  for 
our  comments  on  your  draft  report  entitled,  "Continuing  Need 
By  Federal  Agencies  to  Develop  Greater  Computer  Audit 
Capabilities."  We  acknowledge  the  need  for  compliance  with 
the  GAO  standards  for  auditing  computer-based  systems. 

These  standards  are  part  of  our  audit  policy  manual.  We  are 
also  developing  audit  guidelines  and  audit  programs  to 
institutionalize  these  standards  in  our  audit  work. 

In  accordance  with  your  recommendations,  we  plan  to  identify 
the  Department's  computer  audit  universe,  including  existing 
computer  systems  and  applications,  as  well  as  those  being 
planned  for  design  and  development.  This  process  will 
include  determining  the  extent  to  which  computer  activities 
need  auditing.  We  plan  to  have  this  process  completed  by 
October  1,  1981.  Once  this  task  is  completed,  we  will 
proceed  to  determine  our  needs  regarding  staffing  and  the 
associated  skill  levels  required  to  meet  our  computer  audit 
responsibilities. 

The  computer  audit  universe,  along  with  all  other  elements 
of  our  audit  universe,  will  be  prioritized  in  accordance 
with  0MB  Circular  A-73.  To  the  extent  our  resources  permit 
and  in  line  with  other  audit  priorities,  we  will  conduct 
audits  of  the  Department's  computer  systems  and  applications 
in  accordance  with  GAO  standards.  We  will  assess,  at  least 
annually,  the  adequacy  of  audit  coverage  of  the  computer 
area  and  make  appropriate  adjustments  in  audit  plans. 


APPENDIX  VI 


APPENDIX  VI 


We  plan  to  augment  our  computer  audit  staff  to  the  extent 
possible  in  our  restricted  hiring  situation.  We  will 
provide  computer  audit  training  to  our  current  staff  to  the 
extent  possible  with  our  limited  training  funds,  we  are 
developing  programmed  learning  tools  to  assist  auditors  in 
developing  certain  computer  audit  skills. 

It  is  our  intention  to  meet  the  GAO  standards  to  the  best  of 
our  ability  within  the  limits  of  our  resources  and  the 
competing  demands  for  those  resources. 


Sincerely, 


J g.\f-s  B.  Thomas,  Jr. 
raipector  General 


t  n  i* 


APPENDIX  VI 


APPENDIX  VI 


DEPARTMENT  OF  HOUSING  AND  URBAN  DEVELOPMENT 
OFFICE  OF  INSPECTOR  GENERAL 
WASHINGTON,  D.C.  2MI0 


August  7,  1981 


Mr.  W.  D.  Campbell 
Acting  Director,  Accounting  and 
Financial  Management  Division 
U.S.  General  Accounting  Office 
Washington,  D.C.  20548 

Dear  Mr .  Campbel  1 : 

The  Secretary  has  asked  me  to  comment  on  the  draft  report  "Continuing 
Need  by  Federal  Agencies  to  Develop  Greater  Computer  Audit  Capabilities." 
Comments  on  each  of  the  GAO  recommendations  follow: 


ZA  1601 
ZA  2012.17 


Identify  the  agency's  computer  audit  universe,  including  existing  computer 
systems  and  applications  as  well  as  those  being  planned  for  design 
and  development^ 


The  Department  of  Housing  and  Urban  Development  (HUD)  maintains  an 
inventory  of  automated  systems  which  is  updated  annually.  The  inventory 
includes  a  description  of  operational  systems,  systems  under  development 
and  systems  planned  for  future  operations.  We  use  this  inventory  to 
identify  sources  for  data  used  in  internal  audits  and  investigations. 
Also,  we  use  the  inventory  in  selecting  automated  application  systems  for 
audit . 


Determine  the  extent  to  which  computer  activities  need  auditing  and  con¬ 
duct  needed  audits  based  on  requirements  of  the  GA6  computer  audit  stand¬ 
ards  related  to  the:  (li  adequacy  of  general  and  app I (cation  controfsT 
and  (2)  efficient,  effective  and  economical  use  of  computers. 


Our  selection  of  audits  is  based  upon  the  criteria  established  in 
Office  of  Management  and  Budget  Circular  A-73,  Audit  of  Federal  Operations 
and  Programs.  In  our  preliminary  planning  for  the  Fiscal  Year  1982  Annual 
Audit  Plan,  we  have  scheduled  five  major  automated  application  systems  for 
audit.  We  will  assign  responsibility  for  conducting  some  of  these  audits 
to  our  field  office  auditors  who  have  data  processing  training  or 
experience . 


The  scope  of  the  application  system  audits  includes  an  evaluation  of 
the  effectiveness  of  the  systems  in  meeting  the  needs  of  programmatic 
users  and  the  efficiency  of  these  systems.  In  addition,  we  periodically 
schedule  and  conduct  audits  of  general  controls  and  audits  which  address 
the  efficient,  effective  and  economical  use  of  computers.  For  example,  we 
have  two  major  audits  in  progress  which  address  the  latter  --  an  audit  of 
data  processing  management  and  an  audit  of  our  field  offices'  use  of  data 
processing. 


51 


f 


f 


APPENDIX  VI 


APPENDIX  VI 


We  have  worked  with  the  Department's  ADP  Security  Officer  to  establish 
procedures  for  using  risk  analysis  in  developing  automated  systems.  When 
effectively  implemented,  these  procedures  will  enable  our  staff  to:  (1) 
reduce  the  time  required  to  audit  automated  application  systems,  (2)  expand 
the  audit  coverage,  and  (3)  allocate  audit  resources  to  high  risk  applica¬ 
tion  systems.  In  addition,  the  procedures  will  benefit  data  processing 
users,  data  processing  personnel  and  computer  security  administrators  in 
developing  controls  for  automated  systems. 

The  proposed  procedures  provide  for  auditor  participation  during  the 
design  and  development  of  systems  and  for  an  evaluation  of  operational  sys¬ 
tems.  These  procedures  will  increase  the  effectiveness  of  our  audit  staff 
in  complying  with  the  GAO  computer  audit  standards  and  enable  the  Depart¬ 
ment  to  comply  with  0MB  Circular  A-71 ,  "Security  of  Federal  Automated 
Information  Systems." 

Determine  the  staff  and  skills  needed  to  meet  computer  audit  responsibil¬ 
ities,  and  consider  alternatives  for  developing  and  sustaining  these 
capabil ities. 

We  will  continue  to  evaluate  the  staffing  and  skills  needed  to  meet 
computer  audit  responsibilities  and  to  revise  our  training  plan  as 
required. 


In  the  past  year,  we  have  added  two  computer  auditors  to  our 
Headquarters  audit  staff.  Through  an  inter-agency  agreement  with  the 
Federal  Computer  Performance  Evaluation  and  Simulation  Center,  we  have 
provided  additional  resources  for  computer  auditing. 

Periodically  review  audit  coverage  of  computer  systems  and  adjust 
allocations  of  staff  resources  accordingly. 

We  review  audit  coverage  of  computer  systems  annually  in  the  audit 
planning  process,  and  allocate  resources  based  on  prescribed  Office  of 
Management  and  Budget  criteria. 

Establish  a  basic  level  of  computer  knowledge  which  all  audit  staff  must 
attain.  Auditors  may  reach  the  basic  level  either  through  their  own 
educational  programs  or  by  training  during  their  employmenT! 

We  currently  are  incorporating  GAO  computer  audit  standards  into  our 
audit  guides.  The  audit  guides  will  include  a  section  on  general  and 
application  controls.  The  latter  will  be  tailored  to  the  specific  types 
of  audits  which  we  regularly  conduct.  Starting  September  1981,  we  will 
conduct  training  courses  on  these  guides.  This  approach  offers  the 
advantages  of  providing  basic  level  knowledge  and  enabling  auditors  to 
apply  this  knowledge  to  specific  types  of  audits.  Use  of  the  guides  will 
be  required  in  audits  involving  computer-based  systems. 

Thank  you  for  the  opportunity  to  comment  on  the  draft  report. 


Sincerely, 


Paul  A.  Adams 

Deputy  Inspector  General 


52 


I 


t 


APPENDIX  VI 


U.S.  Department  of  Labor 


AUG  5  88t 

Mr.  W.  D.  Campbell 
Room  6001 

441  G  Street,  N.  W. 

Washington,  D.  C.  20548 

Dear  Mr.  Campbell: 

This  is  in  reply  to  your  letter  to  the  Secretary  of  Labor  requesting 
comments  on  the  draft  GAO  report  entitled  "Continuing  Need  by 
Federal  Agencies  to  Develop  Greater  Computer  Audit  Capabilities." 

The  Department  basically  concurs  with  the  recommendations  contained 
in  this  report.  Attached  is  a  summary  of  actions  taken  or  being 
taken  to  correct  problems  identified  in  the  GAO  review. 

Thank  you  for  giving  us  the  opportunity  to  comment. 

Sincerely , 

"£*.  VC 

Thomas  F.  McBride 
Inspector  General 

Attachment 


APPENDIX  VI 

Office  of  Inspector  General 
Washington,  D  C  20210 

Reply  to  the  Attention  of 


53 


APPENDIX  VI 


APPENDIX  VI 


U.  S.  Department  of  Labor's  Response  to 
the  Draft  General  Accounting  Office 
Report  Entitled  -- 

"Continuing  Need  By  Federal  Agencies  To 
Develop  Greater  Computer  Audit  Capabilities" 


Recommendation :  Heads  of  Federal  agencies  help  ensure  that 

their  inspector  general  and  internal  audit  organizations 
properly  consider  agency  computer  operations  in  providing 
internal  audit  coverage  by  requiring  them  to: 

--Identify  the  agency's  computer  audit  universe, 

including  existing  computer  systems  and  applications 
as  well  as  those  being  planned  for  design  and 
development . 

--Determine  the  extent  to  which  computer  activities  need 
auditing  and  conduct  needed  audits  based  on 
requirements  of  the  GAO  computer  audit  standards 
relating  to  the 

(1)  adequacy  of  general  and  application  controls;  and 

(?)  efficient,  effective,  and  economical  use  of 
computers . 

--Determine  the  staff  and  skills  needed  to  meet  computer 
audit  responsibilities,  and  consider  alternatives  for 
developing  and  sustaining  these  capabilities. 

--Periodically  review  audit  coverage  of  computer  systems 
and  adjust  allocations  of  staff  resources  accordingly. 

--Establish  a  basic  level  of  computer  knowledge  which 
all  audit  staff  must  attain.  Auditors  may  reach  this 
basic  level  through  their  own  educational  programs  or 
by  training  during  their  employment. 


54 


*  II  S  GOVERNMENT  PRINTING  OFFICE  1**1 


r 


t 


APPENDIX  VI 


APPENDIX  VI 


Response:  The  Department  concurs:  Within  the  the  Department 

there  are  over  100  automated  systems,  and  over  a  three  year 
period  from  fiscal  year  1980  to  1982,  the  estimated  budget 
for  ADP  related  activities  has  increased  from  about  $63 
million  to  $92  million.  The  Department  operates  six  major 
computers  supported  by  48  central  processing  units,  and  uses 
a  variety  of  remote  batch  terminals,  interactive  terminals, 
mini-computers,  and  micro  computer  based  word  processing 
systems  and  telecommunications  networks.  These  systems  have 
become  virtually  inseparable  from  the  programs  they  support 
and  the  Office  of  Inspector  General  must  have  appropriate 
audit  and  analytical  skills  not  only  to  meet  GAO  computer 
audit  standards  but  also  to  be  able  to  more  effectively  use 
the  computer  in  identifying  problems  relating  to  fraud, 
waste,  and  abuse  in  the  Department's  programs  and  in  meeting 
OIG  management  needs. 

Presently  the  OIG  has  a  good  estimate  of  the 
Department's  ADP  inventory.  In  the  past,  the  OIG  had  a  staff 
dedicated  to  performing  reviews  of  ADP  systems  including 
application  controls  and  design  and  development  activities. 
However,  this  capability  was  greatly  diminished  through 
personnel  losses,  hiring  restrictions  and  mandatory  workload 
factors  involving  CETA  and  other  external  audits. 

OIG  recognizes  that  this  situation  must  be  quickly 
reversed  and  there  is  a  high-priority  need  for  experienced 
computer  professionals.  Skilled  ADP  personnel  are  urgently 
required  for  efficiency,  effectiveness,  and  economy  audits  of 
application  and  computer  systems,  and  for  the  evaluation  of 
controls  in  complex  applications.  As  personnel  ceilings  are 
lifted  and  hiring  authority  is  granted,  several  individuals 
with  highly  skilled  ADP  backgrounds  will  be  quickly  recruited 
and  hired.  Also,  a  program  is  being  developed  to  provide 
existing  staff  members  with  the  necessary  computer  audit 
skills.  The  Assistant  Inspector  General  for  Audit  has 
identified  key  members  of  the  audit  staff  who,  based  on  their 
knowledge  and  interest  in  ADP  auditing^ will  work  with  the 
to-be-hired  ADP  specialists  and  be  responsible  for: 

--identifying  a  course  of  study  and  on-the-job  training 
to  enable  themselves  to  become  especially  proficient 
in  the  ADP  area : 


55 


I 


I 


APPENDIX  VI 


APPENDIX  VI 


— assisting  in  the  identification  of  suitable  training 
programs  in  ADP  auditing  for  all  OIG  professional 
staff;  and 

— becoming  leaders  in  conducting  ADP  audits  of  all  agency 
programs  and  operations  deemed  to  be  particularly 
vulnerable  to  fraud,  waste,  abuse,  and  error. 

We  believe  the  two-pronged  approach  of  hiring  ADP 
specialists  and  providing  specialized  training  to  existing 
staff  will  be  effective,  over  time,  in  developing  the  level 
of  expertise  necessary  to  meet  GAO  computer  audit  standards. 


APPENDIX  VI 


APPENDIX  VI 


© 

US.  Department  of 
Transportation 

Office  of  the  Secretary 
of  Transportation 


Assistant  Secretary 
tor  Administration 


400  Seventh  Street.  S  W 
Washington.  DC  20590 


July  22,  1981 


Mr.  W.  D.  Campbell 
Acting  Director,  Accounting  and 
Financial  Management  Division 
U.S.  General  Accounting  Office 
Washington,  DC  20548 

Dear  Mr.  Canpbell: 

We  have  reviewed  the  proposed  draft  report,  "Continuing  Need  By  Federal 
Agencies  To  Develop  Greater  Computer  Audit  Capabilities,"  dated  June  25,  1981, 
and  concur  in  the  findings  and  recommendations  to  the  extent  they  apply  to 
this  Department.  It  should  be  noted  that  the  Department's  Inspector  General 
has  initiated  action  to  rectify  conditions  cited  in  the  GAD  draft  report. 

Our  actions  on  specific  recommendations  are  shown  below. 

1.  With  respect  to  the  first,  second,  and  fourth  recommendations  on  page  iv 
of  the  report,  no  action  has  been  taken.  We  are  in  the  process  of 
recruiting  to  establish  an  ADP  audit  capability.  Action  on  these  recom¬ 
mendations  will  be  taken  as  soon  as  this  capability  is  established. 

2.  On  the  third  recommendation  we  have  made  a  study  to  determine  our 
staffing  requirements  and  have  started  recruitment  of  ADP  auditors. 

A  copy  of  the  study  and  three  job  announcements  are  enclosed. 

3.  On  the  fifth  recommendation  we  have  identified  the  training  needed  to 
establish  a  basic  level  of  computer  knowledge  which  all  audit  staff 
members  must  attain.  Enclosed  is  a  copy  of  our  auditor  training  pro¬ 
file  showing  the  training  identified. 

Sincerely, 


Enclosures 


57 


/ 


APPENDIX  VI 


APPENDIX  VI 


©  Memorandum 

US.  Department  of 
Itamportation 

Office  of  the  Secretory 
oflonsportafion 


Date  3  ©81  RepfytoAttn  of  JP-30 

Staff  Study  on  Auditing 
Subject  Automated  Data  Processing 
Systems  by  the  OIG 

/ 

From  Paul‘C‘.'  Hoshall  '  'L  c" 

Chief,  ADP  Support  Group 

To  Renald  P.  Morani 

Assistant  Inspector  General  for 
Policy,  Planning  and  Resources 

Attached  is  a  staff  study  which  I  believe  presents  a  realistic  overview 
of  the  problems  facing  the  Office  of  Inspector  General  in  reviewing 
Automated  Data  Processing  (ADP)  Systems  throughout  the  Department  of 
Transportation.  We  have  tried  to  provide  recommendations  which  will 
address  the  identified  problems  and  will  provide  a  basis  for  a  compre¬ 
hensive  and  effective  ADP  review  program  within  the  OIG. 

As  soon  as  decisions  are  made  regarding  the  four  areas  of  recommendations 
set  out  in  the  management  synopsis  on  page  3  of  the  study,  I  recommend 
that  a  small  task  force  be  assigned  the  job  of  implementation.  Specific 
task  force  members  would  be  selected  with  an  eye  toward  coordinating 
progress  on  all  adopted  recommendations  and  for  rapid  alternatives 
analysis  to  inplement  this  critical  area  as  soon  as  possible. 


Attachment 


APPENDIX  VI 


APPENDIX  VI 


DEPARTMENT  OF  TRANSPORTATION 
OFFICE  OF  INSPECTOR  GENERAL 


AUDITING  AUTOMATED  DATA  PROCESSING  SYSTEMS 
(MANAGEMENT  SYNOPSIS) 


AS  OP  JANUARY  30,  1981 


APPENDIX  VI 


APPENDIX  VI 


THE  CURRENT  SITUATION 

The  Department  of  Transportation  (DOT)  f  Office  of  Inspector  General  (OIG) 
is  not  currently  organized,  staffed  or  trained  to  effectively  carry  out 
all  existing  responsibilities  with  respect  to  reviews  of  planned,  developing 
or  functioning  Automated  Data  Processing  (ADP)  systems.  There  is  no  clear 
definition  of: 

1.  The  types  and/or  levels  of  reviews  necessary; 

2.  The  specific  type  and/or  location  of  the  major  ADP  systems  with  which 
the  OIG  must  contend; 

3.  Specific  organizational  components  responsible  for  various  aspects  of 
necessary  reviews; 

4.  Specific  procedures  to  be  followed  in  accomplishing  assigned  duties;  and 

5.  The  training  and/or  experience  necessary  to  accomplish  identified  workload. 
RECOMMENDATIONS 


This  staff  study  recomnends: 

1.  Identifying  and  staffing  two  core  ADP  review  groups: 

a.  An  ADP  Audit  staff  reporting  directly  to  the  Director,  Office  of 
DOT-Wide  Programs  and  responsible  for  conducting  or  leading  ADP  audits 
throughout  DOT;  and 

b.  An  ADP  technical  support  staff  reporting  directly  to  the  Assistant 
Inspector  General  for  Policy,  Plans,  and  Resources  Management,  and 
responsible  for  furnishing  ADP  technical  expertise  to  all  organizations 
within  the  OIG  as  well  as  developing  and  maintaining  the  OIG  Management 
Information  System; 

2.  Establishing  basic  organizational  and  operating  policy  with  respect  to 
all  organizations  involved,  the  types  of  reviews  to  be  performed  and  the 
methodology  of  performance; 

3.  Establishing  a  formalized  training  program  to  ensure  that  OIG  personnel 
are  adequately  prepared  for  ADP-related  reviews;  and 

4.  Considering  further  ADP  audit  staff  development  and  training  throughout 
the  OIG  based  on  identified  workload. 


60 


I 


t 


APPENDIX  VI 


APPENDIX  VI 


General 

Services 

Administration  Washington.  DC  20405 


m  ?  ” 1981 

Mr.  Donald  J.  Horan 

Director,  Procurement,  Logistics  and 

Readiness  Division 

U.S.  General  Accounting  Office 

Washington,  D.C.  20548 

Dear  Mr.  Horan: 

Thank  you  for  the  opportunity  to  comment  on  your  draft  report:  "Continuing 
Need  by  Federal  Agencies  to  Develop  Greater  Computer  Audit  Capabilities." 

We  agree  with  your  conclusions  and  recommendations  to  ensure  appropriate 
computer  audit  coverage  within  each  Federal  agency. 

We  are  pleased  that  the  General  Services  Administration's  Office  of  Audits 
is  characterized  in  the  GAO  report  as  an  example  of  an  effective  computer 
audit  group  which  has  performed  audits  that  resulted  in  savings  and  program 
improvements.  As  noted  in  your  report,  the  GSA  has  already  recognized  the 
need  for  increased  emphasis  in  the  areas  of  computer  technology  and  computer 
auditing.  The  Office  of  Inspector  General  has  taken  aggressive  action  to 
meet  these  needs.  At  the  time  of  your  review,  we  had  eight  audit  positions 
devoted  exclusively  to  computer  auditing  and  had  plans  to  add  four  more. 
However,  due  to  current  budget  and  staffing  restrictions,  only  two  additional 
positions  were  added.  As  a  result  of  these  cutbacks,  we  are  increasing  our 
computer  audit  training  of  the  existing  staff  to  help  provide  the  necessary 
audit  skills. 

We  will  be  pleased  to  discuss  these  comments  if  you  have  any  questions. 


61 


APPENDIX  VI 


APPENDIX  VI 


NASA 

National  Aeronautics  and 
Space  Administration 

Washington.  D  C 
20546 

2  8  Idol 


Mr.  W.  D.  Campbell 
Acting  Director  of  Accounting  and 
Financial  Management  Division 
U.S.  General  Accounting  Office 
Washington,  DC  20548 


Dear  Mr.  Campbell: 

Thank  you  for  the  opportunity  to  review  GAO's  draft  report 
entitled,  "Continuing  Need  By  Federal  Agencies  To  Develop  Greater 
Computer  Audit  Capabilities,"  Code  913590. 

We  generally  agree  with  the  contents  and  recommendations 
contained  in  the  report.  Our  detailed  comments  are  provided  in 
the  enclosure  to  this  letter. 


Sincerely, 


tifeputy' Associate  Administrator 
for  External  Relations 

cc:  GAO/Mr.  W.  H.  Sheley,  Jr. 


62 


APPENDIX  VI 


APPENDIX  VI 


GAO  DRAFT  REPORT 

CONTINUING  NEED  BY  FEDERAL  AGENCIES  TO 
DEVELOP  GREATER  COMPUTER  AUDIT  CAPABILITIES 


The  following  comments  are  furnished  in  response  to  GAO  draft 
report  Code  913590. 

I  agree  with  the  contents  and  recommendations  contained  in  the 
draft  report  and  am  in  the  process  of  identifying  our  computer 
audit  resource  requirements.  However,  we  will  have  to  schedule 
audits  of  computer  systems  in  relation  to  our  total  audit 
responsibilities.  At  the  present  time,  five  auditors,  or 
approximately  10  percent  of  our  auditors  have  sufficient  training 
and  experience  to  conduct  routine  ADP  audits.  Only  two  have  the 
qualifications  to  conduct  the  more  sophisticated  ADP  audits. 
Staffing  limitations  and  our  other  audit  responsibilities 
preclude  our  exclusive  use  of  even  these  resouces  in  the  ADP 
area . 

With  over  five  hundred  computer  systems  comprising  1,862  central 
processing  units  and  almost  an  unlimited  number  of  applications, 
we  cannot  provide  adequate  coverage  without  dramatic  changes  in 
our  operation.  I  have  established  the  development  of  ADP 
expertise  as  the  highest  priority  for  this  OIG.  I  have  moved  the 
best  qualified  of  our  existing  staff  to  a  separate  unit  to  work 
exclusively  on  ADP  aspects  of  audits  and  investigations. 
Recruitment  (when  feasible)  will  consider  our  ADP  needs  before 
vacancies  or  any  new  positions  are  filled.  Further  we  will  train 
as  many  as  possible  of  our  existing  staff  in  the  basics  of 
computer  science.  When  appropriate,  we  will  contract  for 
additional  ADP  support.  Although  I  recognize  the  enormity  of 
this  undertaking,  I  feel  these  steps  will  have  the  most 
significant  impact  on  our  ability  to  achieve  the  long-term  goal 
of  reasonable  ADP  audit  and  investigative  coverage. 


63 


I 


t 


APPENDIX  VI 


Veterans 

Administration 


APPENDIX  VI 

Office  of  the  Washington,  D.C.  20420 

Administrator 

of  Veterans  Affairs 


AUGUST  101981 


Mr*  W.  D.  Campbell 
General  Accounting  Office 
441  G  Street,  NW 
Washington,  DC  20548 

Dear  Mr.  Campbell: 

We  have  reviewed  the  General  Accounting  Office  (GAO)  July  2,  1981  draft 
report,  "Continuing  Need  by  Federal  Agencies  to  Develop  Greater  Computer 
Audit  Capabilities,"  which  states  that  with  the  expanding  computer  usage 
and  the  billions  spent  annually  on  data  processing,  Federal  inspectors 
general  and  internal  audit  organizations  must  properly  consider  Govern¬ 
ment  computer  operations  in  fulfilling  Internal  audit  responsibilities. 

GAD  reported  that  many  Federal  internal  audit  organizations  have  not  pro¬ 
vided  adequate  audit  coverage  for  their  agencies'  computer  operations  as 
prescribed  by  GAO's  1977  report  and  the  GAO  computer  audit  standards. 

The  report  also  states  that  while  most  of  the  audit  organizations  reviewed 
had  conducted  at  least  some  computer  audits  since  the  1977  report,  many 
had  not  completely  identified  their  agencies'  computer  activities  to  aid 
in  planning  appropriate  audit  coverage. 

GAO  recommends  that  the  heads  of  Federal  agencies  help  ensure  that  their 
inspectors  general  and  internal  audit  organizations  properly  consider 
agency  computer  operations  in  providing  internal  audit  coverage  by  requir¬ 
ing  them  to: 

— Identify  the  agency's  computer  audit  universe,  including 
existing  computer  systems  and  applications  as  well  as  those 
being  planned  for  design  and  development. 

I  concur,  and  the  Office  of  Audit  (OA) ,  in  the  Office  of  the  Inspector 
General,  has  developed  a  method  for  identifying  the  computer  audit  uni¬ 
verse.  Information  about  computer  hardware/systems  and  applications  is 
obtained  through  cyclical  audits,  program  audits,  and  through  the  Office 
of  Data  Management  and  Telecommunications  (DM&T).  The  OA  is  also  in  the 
process  of  obtaining  updates  from  the  Office  of  DM&T  on  those  computer 
systems  and  applications  already  in  place  or  in  planning  stages.  A  rep¬ 
resentative  from  OA  serves  on  the  Agency's  committee  for  planning  and 
designing  computer  systems. 

— Determine  the  extent  to  which  computer  activities  need 

auditing  and  conduct  needed  audits  based  on  requirements  of 
the  GAO  computer  audit  standards  relating  to  the  (1)  ade¬ 
quacy  of  general  and  application  controls;  and  (2)  efficient, 
effective,  and  economical  use  of  computers. 


64  I 


/ 


i 


APPENDIX  VI 


APPENDIX  VI 


The  Veterans  Administration  (VA),  ha6  been  unable  to  fully  comply  with 
the  GAO  computer  audit  standards  and  has  had  difficulty  in  achieving  the 
requirements  of  OMB  Circular  A-71  on  cyclic  security  audits  of  computer 
systems.  The  noncompliance  resulted  from  not  having  either  a  sufficient 
technical  staff  or  a  complete  audit  universe.  The  emphasis  that  is  now 
being  placed  on  computer  related  audits  will  assist  the  OA  in  complying 
with  the  GAO  computer  audit  standards  in  a  relatively  short  period  of 
time.  I  agree  that  this  extremely  Important  and  primary  function  must 
be  met . 

— Determine  the  staff  and  skills  needed  to  meet  computer  audit 
responsibilities,  and  consider  alternatives  for  developing 
and  sustaining  these  capabilities. 

I  concur  in  this  recommendation  but  also  recognize  that  implementation 
is  not  possible  until  the  complete  audit  universe  is  identified  and  we 
have  determined  the  extent  to  which  computer  activities  are  in  need  of 
audit.  However,  there  is  no  question  that  we  need  to  assure  that  a  well 
qualified  staff  is  available  to  perform  audits  of  computer  systems,  appli¬ 
cations,  and  design  activities. 

— Periodically  review  audit  coverage  of  computer  systems  and 
adjust  allocations  of  staff  resources  accordingly. 

1  concur  with  this  recommendation  and,  to  the  extent  that  audit  findings 
permit,  resource  allocations  will  be  adjusted  to  assure  adequate  audit 
coverage  of  computer  systems. 

— Establish  a  basic  level  of  computer  knowledge  which  all 
audit  staff  must  attain.  Auditors  may  reach  this  basic 
level  through  their  own  educational  programs  or  by  train¬ 
ing  during  their  employment. 

The  professional  level  of  the  VA  auditors'  computer  capabilities  is  one 
of  our  primary  concerns.  In  the  past,  the  OA  has  experienced  considerable 
difficulty  in  employing  well  qualified  computer  audit  specialists  and  has 
attempted  to  meet  these  needs  by  hiring  professional  computer  specialists 
and/or  providing  internal  and  external  computer  audit  training  for  account¬ 
ants  and  program  specialists. 

The  OA  has  implemented  an  educational  program  to  assure  that  all  auditors 
obtain  a  basic  level  of  computer  knowledge.  At  this  time,  all  professional 
staff  has  received  basic  training  in  the  uses  of  the  Health,  Education, 
and  Welfare  Computer  Audit  System.  As  part  of  this  training,  the  auditors 
received  basic  instructions  on  the  general  computer  system  and  its  utili¬ 
zation  in  the  performance  of  audits.  It  is  our  policy  to  encourage  auditors 
to  obtain  and/or  continue  their  educational  programs  during  their  employment. 
It  is  also  our  policy  to  assure  that  professional  staff  members  receive  an 


65 


I 


i 


APPENDIX  VI 


APPENDIX  VI 


average  of  two  weeks  training  each  fiscal  year.  We  encourage  professional 
staff  members  to  avail  themselves  of  external  training  opportunities  on 
their  personal  time  by  funding  those  programs  directly  related  to  their 
professional  duties. 

Sincerely, 

ROBERT  P.  NIMMO 
Administrator 


66 


At  , 


APPENDIX  VI 


APPENDIX  VI 


DEPARTMENT  OF  THE  TREASURY 

WASHINGTON.  D.C.  20220 
August  4,  1981 

IN  REPLY 
REFER  TO 


Mr.  W.  D.  Campbell,  Acting  Director 
Accounting  and  Financial  Management  Division 
U.S.  General  Accounting  Office 
Washington,  D.C.  20548 

Dear  Mr.  Campbell: 

This  responds  to  the  request  to  the  Secretary 
of  the  Treasury  for  comments  on  the  GAO  draft  report 
entitled  "Continuing  Need  by  Federal  Agencies  To 
Develop  Greater  Computer  Audit  Capabilities."  The 
report  recommends  actions  Federal  agencies  need  to 
take  to  define,  develop,  and  maintain  appropriate 
computer  audit  capabilities. 

We  generally  support  the  recommendations  made 
in  the  report.  However,  the  table  on  page  28  show¬ 
ing  the  number  of  professional  audit  staff  and  the 
number  of  auditors  who  are  considered  computer 
audit  specialists  or  generalists  is  misleading  as 
it  pertains  to  Treasury. 

As  stated  in  the  scope  section  of  the  report 
on  page  5,  GAO  reviewed  the  computer  audit  activities 
of  19  Federal  inspector  general  and  internal  audit 
organizations.  One  of  these  was  Treasury.  The  table 
on  page  28,  however,  shows  only  the  immediate  Office 
of  the  Inspector  General  with  an  audit  staff  of  10 
and  the  Treasury's  Office  of  the  Comptroller  of  the 
Currency  with  a  staff  of  6.  As  of  June  30,  1980, 
the  audit  staff  for  the  Department  as  a  whole  totaled 
6 3 3 »  of  which  33  were  computer  audit  specialists  or 
generalists . 

Treasury  has  a  decentralized  audit  system,  and 
we  can  and  frequently  do  call  on  the  resources  of  the 
bureau  staffs  as  required.  We  believe,  therefore. 


67 


I 


I 


APPENDIX  VI 


APPENDIX  VI 


that  the  table  should  be  adjusted  to  show  the 
figures  for  the  entire  Department. 

We  appreciate  the  opportunity  to  review  and 
comment  on  this  draft  report. 

Sincerely, 


Paul  K.  Trause 


68 


/ 


Comptroller  of  the  Currency 
Administrator  of  National  Banks 

Washington,  D.  C.  20219 


July  29,  1981 


Mr.  William  J.  Anderson 
Director 

General  Government  Division 
U.S.  General  Accounting  Office 
Washington,  D.C.  20548 

Dear  Mr.  Anderson: 

We  have  reviewed  your  June  29,  1981  draft  of  the  proposed  GAO  report  entitled 
"Continuing  Meed  by  Federal  Agencies  to  develop  Greater  Computer  Audit 
Capabilities. " 

In  the  report,  GAO  notes  that  the  Federal  Government's  dependence  on  the 
computer  continues  to  grow.  Increasing  the  need  for  properly  designed  and 
operating  computer  system  controls  and  efficient,  effective,  and  economical 
use  of  computer  equipment,  programs,  personnel,  and  other  resources. 
Specifically,  GAO  recommends  actions  every  Federal  agency  should  take  to 
define,  develop,  and  maintain  appropriate  computer  audit  capabilities. 

The  Office  of  the  Comptroller  of  the  Currency  (OCC)  concurs  with  GAO's 
conclusions  and  recommendations  contained  in  the  draft  report.  In  the  past 
year,  our  audit  division  has  surveyed  our  data  processing  division  and  will 
be  reviewing  the  adequacy  of  the  OCC's  data  security  before  the  end  of  1981. 
There  has  been  a  renewed  emphasis  on  effective  computer  auditing  within  our 
agency.  During  future  development  of  OCC's  audit  programs  and  plans,  we  assure 
you  that  we  will  attempt  to  incorporate  all  of  GAO's  recommendations,  at  the 
same  time  balancing  their  use  with  anticipated  resource  constraints. 

We  appreciate  the  opportunity  to  comment  on  the  draft  report. 


Charles  E.  Lord 

Acting  Comptroller  of  the  Currency 


69 


/ 


I 


APPENDIX  VI 


APPENDIX  VI 


Department  of  Energy 
Washington,  D.C.  20585 

July  28,  1981 


Mr.  W.  D.  Campbell 

Accounting  and  Financial  Management 

Division 

U.  S.  General  Accounting  Office 
Washington,  D.  C.  20548 

Dear  Mr .  Campbel 1 : 

We  have  reviewed  with  interest  the  General  Accounting  Office 
(GAO)  draft  report  entitled,  "Continuing  Need  by  Federal  Agencies 
to  Develop  Greater  Computer  Audit  Capabilities,"  and  substantially 
agree  with  the  issues  and  recommendations  In  the  report.  Recogniz¬ 
ing  the  need  to  develop  greater  computer  audit  capability,  we 
have  initiated  action  to  improve  our  ADP  audit  management. 

During  the  last  two  years  we  established  an  ADP  Systems  Audit  Branch 
within  the  Office  of  the  Inspector  General  (IG).  The  Branch  Is 
staffed  with  three  computer  specialists  and  we  are  recruiting  for 
a  fourth.  One  of  the  Branch's  first  tasks  was  to  perform  a  pre¬ 
liminary  risk  assessment  of  the  Department's  ADP  applications  to 
identify  areas,  functions,  or  programs  where  audit  coverage  should 
be  directed.  The  IG,  working  with  the  Office  of  ADP  Management, 
the  Office  of  Computer  Services  and  Telecommunications  Management 
and  the  Controller,  Identified  the  existing  and  planned  computer 
systems  and  applications.  The  IG  also  received  guidance  from  the 
Office  of  Management  and  Budget,  GAO  and  other  agencies  to  determine 
the  extent  to  which  computer  activities  need  auditing. 

After  identifying  the  Department's  computer  universe  and  auditing 
needs,  the  IG  developed  an  ADP  audit  plan  that  established  a 
prioritized  audit  program  for  the  next  year.  GAO  computer  audit 
standards  were  used  by  the  IG  staff  to  develop  specific  audit 
guides. 

During  the  first  year  the  IG  staff  conducted  several  significant 
audits  of  the  following  aspects  of  ADP  operations: 

--Security  of  selected  Departmental  computer  sites 
--Development  costs  of  computer-based  information  systems 
--Economical,  efficient  and  effective  use  of  ADP  resources 
--Aspects  of  selected  computer  systems  design,  development 
and  implementation 


70 


/ 


/ 


APPENDIX  VI 


APPENDIX  VI 


Our  ADP  audit  program  for  Fiscal  Year  1982,  which  we  intend  to 
supplement  with  outside  contractor  support  to  increase  our  ADP 
audit  coverage,  will  include  audits  of: 

--Acquisition  of  major  ADP  hardware  systems 
--Acquisition  of  ADP  software  packages 
--Acquisition  and  utilization  of  mi n i -computers 
--Security  Controls  over  classified  ADP  systems 
--Design  and  development  of  selected  financial  systems 

We  also  plan  to  increase  the  level  of  computer  knowledge  of  the 
audit  staff  through  on-the-job  training  offered  by  the  computer 
specialists  and  selected  training  courses  provided  by  the 
departmental  ADP  staff  or  commercial  sources. 

We  believe  that  the  Department  is  making  substantial  progress 
in  establishing  a  long-range  ADP  audit  capability.  GAO  should 
realize,  however,  that  although  we  have  taken  steps  to  hire 
computer  specialists,  develop  an  aggressive  ADP  audit  plan  and 
cross  train  other  auditors  in  ADP  matters,  audit  staffing 
ceilings  and  competing  priorities  realistically  limit  the 
possibilities  of  providing  comprehensive  audit  coverage  to  our 
over  2,600  computer  systems.  We  are  continuing  to  make  every 
effort  to  fully  implement  your  recommendations  and  believe  that 
Issuance  of  your  final  report  should  help  us  in  attaining  this 
goal  . 


Sincerely, 


-  5 

William  S.  Heffelffnger 
Assistant  Secretary 
Management  and  Administration 


71 


APPENDIX  VI 


APPENDIX  VI 


UNITED  STATES  DEPARTMENT  OF  COMMERCE 
The  Inspector  General 

Washington.  D  C  20230 


3  C  JUL  1981 


Wilbur  0.  Campbell 
Acting  Director 

Accounting  4  Financial  Management  Division 
U.S.  General  Accounting  Office 
Washington,  D.C. 

Dear  Mr.  Campbel 1 : 

We  have  reviewed  GAO's  draft  report  "Continuing  Need  By  Federal 
Agencies  to  Develop  Greater  Computer  Audit  Capabilities".  The 
report  covers  a  problem  that  has  long  concerned  Federal  internal 
audit  staffs  -  the  adequacy  of  ADP  audit  coverage.  However,  it 
does  not  fully  develop  the  causes  of  the  problem  and  its 
recommended  solutions  will  not  substantially  increase  the  number 
and  quality  of  ADP  audits. 

Most  internal  audit  organizations  are  criticized  for  inadequate 
computer  audit  work,  but  specific  deficiencies  are  not  identified 
and  discussed.  The  report  would  be  much  more  valuable  to  agency 
and  internal  audit  management  if  organizations  doing  good  and 
poor  jobs  were  identified.  Management  could  take  corrective 
action  and  strengthen  internal  audit  staffs. 

The  report  states  that  two  causes  of  inadequate  ADP  audit 
coverage  are  lack  of  management  support  (pp.  7,  13,  14,  and  22) 
and  staffing  restrictions  (pp.  7,  14,  and  22)-  Department 
of  Commerce  management  fully  supports  the  Office  of  Inspector 
General  audit  efforts  and  in  the  past,  has  requested  ADP  audits, 
including  system  development  audits.  My  top  staff  and  I  place  a 
high  priority  on  ADP  audits,  and  are  working  to  improve  our  ADP 
audit  capabilities  and  coverage. 

Specific  comments  on  the  report  recommendations  follow: 

Identify  the  agency's  computer  audit  universe,  including 
existing  computer  systems  and  applications  as  well  as 
those  being  planned  for  design  and  development. 

As  part  of  our  normal  audit  planning  process  we  maintain 
an  inventory  of  the  computer  audit  universe.  To  the 
extent  possible  it  includes  major  new  system  development 
projects.  It  is  not  practical  to  include  all 
applications  that  are  planned  for  development. 
Maintaining  the  inventory  at  the  system,  as  opposed  to 
application,  level  is  adequate. 

Determine  the  extent  to  which  computer  activities  need 
auditing  and  conduct  needed  audits  based  on  requirements 
of  the  GAO  computer  audit  standards  relating  to  the  (1) 


72 


i 


APPENDIX  VI 


APPENDIX  VI 


adequacy  of  general  and  application  controls;  and  (2) 
efficient,  effective,  and  economical  use  of  computers. 

Implementation  of  this  recommendations  Is  made  difficult 
by  the  lack  of  specifics  in  the  draft  report  as 
mentioned  above.  We  will  continue  to  perform  audits  in 
accordance  with  GAO  standards  on  a  priority  basis  within 
the  resources  available. 

Determine  the  staff  and  skills  needed  to  meet  computer 
audit  responsibilities,  and  consider  alternatives  for 
developing  and  sustaining  these  capabilities. 

We  consider  the  skills  needed  to  do  ADP  audits  when 
preparing  audit  plans  for  the  year.  Generally,  we  rely 
on  outside  hiring  if  needed  skills  are  not  available 
in-house.  In  the  future  we  plan  to  hire  consultants  to 
complement  and  supplement  in-house  staff. 

Periodically  review  audit  coverage  of  computer  systems 
and  adjust  allocations  of  staff  resources  accordingly. 

When  preparing  annual  audit  plans  we  review  the 
completed  computer  system  audits,  on-going  audits  and 
the  universe  of  ADP  audits  that  should  be  done.  Staff 
is  assigned  as  required. 

Establish  a  basic  level  of  computer  knowledge  which  all 
audit  staff  must  attain.  Auditors  may  reach  this  basic 
level  through  their  own  educational  programs  or  by 
training  during  their  employment. 

It  is  very  difficult  to  establish  a  basic  level  of 
computer  knowledge  which  all  audit  staff  must  attain, 
particularly  since  the  report  does  not  provide  any 
information  on  what  this  basic  level  should  be.  If  GAO 
has  established  a  base  level  of  computer  knowledge  which 
its  auditors  must  attain  we  would  consider  reviewing  and 
adopting  such  a  standard. 

In  addition,  we  recommend  that  the  Office  of  Management 
and  Budget  monitor  agencies’  progress  in  developing  and 
maintaining  their  computer  audit  capabilities,  and 
provide  guidance  as  appropriate,  addressing  internal 
audit  evaluation  of  computer-related  controls. 

We  do  not  believe  additional  guidance  from  0MB  Is 
needed.  0MB  Circular  No.  A-71,  transmittal  memorandum 
No.  1  already  requires  the  periodic  audit  or  review  of 
all  sesitive  computer  application  systems.  The  GAO 
audit  standards  clearly  establish  the  auditor’s 
responsibilities  for  AOP  audits.  As  the  report  points 
out,  0MB  has  prescribed  these  standards  as  the  basic 
criteria  for  audit  coverage  and  operations.  It  is 


73 


/ 


/ 


APPENDIX  VI 


APPENDIX  VI 


difficult  to  understand  what  additional  guidance  is 
needed . 


t 


Thank  you  for  giving  us  the  opportunity  to  comment  on  this  draft 
report.  If  you  or  your  staff  need  additional  information  or  wish 
to  discuss  our  comments,  please  call  me. 


Sincere ly  yours 


r.An  Note:  The  nape  references  have  been  chanped  In  this  letter  where 
necessary  to  correspond  to  the  final  renort . 


74 


APPENDIX  VI 


APPENDIX  VI 


Federal  Home  Loan  Bank  Board 


1700  G  N.W. 

Washington.  D  C  20552 

Fadarai  Homa  Loan  Bank  Syatam 
Federal  Homa  Loan  Mortgaga  Corporation 
Fadarai  Savings  and  Loan  Insurants  Corporation 


RICHARD  T.  PRATT 
CHAIRMAN 


JUL  2  7  1981 


Mr.  William  J.  Anderson 
Director,  General  Government  Division 
General  Accounting  Office 
441  G  Street,  N.W. 

Washington,  D.C.  20548 

Dear  Mr.  Anderson: 

This  is  in  response  to  your  letter  of  June  26,  1981, 
requesting  our  comments  on  your  draft  report  entitled,  "Continuing 
Need  by  Federal  Agencies  to  Develop  Greater  Computer  Audit 
Capabilities." 

We  concur  with  the  spirit  and  intent  of  GAO's  report 
emphasizing  the  need  for  adequate  audit  coverage  of  federal 
agencies'  computer  operations  and  believe  that  we  are  in 
compliance  with  the  recommendations.  Therefore,  I  am  pleased  to 
offer  the  following  comments. 

The  Bank  Board  is  committed  to  the  development  of  an 
effective  internal  audit  function  and  over  the  past  few  years  has 
worked  diligently  toward  meeting  this  goal.  In  January  1978,  the 
internal  audit  responsibility  of  the  Bank  Board  was  removed  as  a 
line  management  function  and  was  established  as  an  independent 
Internal  Review  Office  reporting  directly  to  the  Chairman  and 
Members  of  the  Bank  Board.  Subsequently,  in  keeping  with  the 
intent  of  the  Inspectors  General  Act  of  1978,  the  Office's 
responsibilities  were  expanded  to  include  an  investigative 
function  and  the  Office  was  renamed  the  Internal  Evaluation  and 
Compliance  Office  (IE&CO)  to  reflect  this  reorganization.  At  the 
same  time,  one  full-time  supervisory  auditor  position  in  IE&CO  was 
dedicated  to  coordinating  and  managing  the  agency's  computer  audit 
responsibilities.  We  believe  that  such  a  commitment  of  resources 
solely  to  computer  auditing  is  significant  considering  the  small 
size  of  both  the  agency  and  IE&CO.  The  individual  currently 
filling  this  position  has  four  years  of  computer  audit  experience 
in  the  federal  government  and  receives  periodic  training  from 
professional  audit  organizations  to  maintain  proficiency. 

In  addition,  a  survey  to  identify  the  Bank  Board's  computer 
audit  universe  has  been  substantially  completed.  The  survey 
results  will  serve  to  (a)  determine  the  extent  to  which  the 


75 


/ 


/ 


APPENDIX  VI 


APPENDIX  VI 


agency's  computer  activities  need  auditing  and  (b)  identify  the 
staff  resources  necessary  to  meet  the  agency's  computer  audit 
responsibilities. 

Finally,  we  are  attempting  to  expose  each  of  our  auditors  to 
a  basic  level  of  computer  audit  principles  and  skills.  This 
training  is  provided  through  the  actual  performance  of  computer 
audits  under  the  close  supervision  of  the  IE&CO  computer  auditor 
as  well  as  through  external  educational  programs  sponsored  by 
organizations  such  as  the  Institute  of  Internal  Auditors  and  the 
Interagency  Auditors  Training  Program.  More  experienced  levels  of 
training  will  also  be  provided  to  the  auditors  as  needed  to  meet 
any  expanded  computer  audit  responsibilities  of  the  agency. 

In  closing,  I  believe  these  actions  demonstrate  the 
importance  that  the  Bank  Board  places  on  an  effective  audit  and 
investigative  function  including  a  strong  computer  audit  capabil¬ 
ity.  We  appreciate  the  opportunity  to  comment  on  GAO's  report  and 
welcome  any  additional  recommendations  for  improvement. 

Please  let  me  know  if  I  may  be  of  any  further  service  in  the 
matter. 


Richard  T.  Pratt 


76 


APPENDIX  VI 


APPENDIX  VI 


^TtS  POST* 

i^b 


3  mt.MMi  S 
******* 


THE  POSTMASTER  GENERAL 
Washington,  DC  20260 


July  27,  1981 


Dear  Mr.  Anderson: 

Thank  you  for  the  opportunity  to  comment  on  your  draft 
report,  "Continuing  Need  By  Federal  Agencies  To  Develop 
Greater  Computer  Audit  Capabilities." 

We  agree  with  the  report's  recommendations  to  the  heads 
of  Federal  agencies  and  have  already  taken  steps  along 
the  lines  the  report  recommends. 

Our  major  computer  audit  universe  has  been  identified 
and  our  auditors  keep  up  with  the  development  of  new 
systems  through  our  Business  Systems  Plan. 

The  extent  to  which  computer  activities  need  auditing 
has  been  determined  and  we  have  identified  the  skill 
levels  needed  to  assure  an  adequately  trained  staff 
for  computer  audits. 

All  the  report's  recommendations  have  either  been  imple¬ 
mented  or  are  in  the  final  stages  of  implementation. 


Sincerely, 


Mr.  William  J.  Anderson 
Director,  General  Government 
Division 

U.S.  General  Accounting  Office 
Washington,  D.  C.  20548 

(913590) 


77 


i 


I 


